[Pmwiki-users] unix crypt passwords vs. md5 hash

Kass Lloyd raekwon
Tue Apr 20 13:18:47 CDT 2004


This topic was brought to my mind when I installed Pmwiki on a machine
running PHP as a cgi instead of an apache module. The unix crypt feature
apparently is broken for cgi implementations of PHP including the most
recent version of PHP4.

Pmwiki should be modified to support md5 hashes for the passwords as a
config option, and most likely make this type of passwords default. The
md5() function has been available in PHP since PHP3. And with the newest
version of Pmwiki requiring PHP 4.1.0 or higher all installs of Pmwiki
will have the md5() function available. Also the md5() function
functions the same no matter how PHP has been installed or what system
it is installed on. This would provide wiki data files to be of the
maximum compatibility for whatever system the wiki data has to be moved
to.

The changes necessary for this are minimal and wouldn't require much in
the way of development time. The benefits gained from using md5() are
many.

For those who feel md5 hash algorithm isn't very secure, please note
that on many systems crypt() uses md5 and the RSA alternative is less
secure then md5. PHP also provides the function sha1() in PHP versions
PHP 4 >= 4.3.0, which is cryptographically more secure the md5. This
function has the exact same functionality as md5() so substituting it in
the PHP code for md5(), or even providing built-in support for sha1()
and md5() would be beneficial.

But on any internet system where passwords are sent "in the clear" it
makes little or no difference how the passwords are encoded server-side.

Thank you for listening to my tiny idea. :)

Kass






More information about the pmwiki-users mailing list