Deprecated Hash Function

3 posts by 2 authors in: Forums > CMS Builder: Plugins & Add-ons
Last Post: Saturday at 1:42am (RSS)

Hi,

After a recent PT where our web-app was tested we got some security remediation.

Deprecated Hash Function: Both the SHA-1 and MD5 methods are deprecated, and should no longer be used for hashing.

Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management. Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.

Is there any plan to replace the hash function in the cmsb/membership?

By Dave - November 29

Hi ht1080z,

Since v3.72 we've used Bcrypt (latest standard) to hash passwords. So if you can upgrade to v3.72 or newer you should be fine.

Any use of md5 or sha1 is only for non-security-related functionalities such as checksums, data integrity verification, or legacy support (verifying an old or imported account one time before rehashing the password in Bcrypt).

But let us know if we can do anything to help you pass the pentest. We can swap out more of the checksum code in future to use something else so it generates less false positives.

Dave Edis - Senior Developer
interactivetools.com

By ht1080z - Saturday at 1:42am

Thank you Dave, I'll go up to the version 3.72.