View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0022839||mantisbt||authentication||public||2017-05-06 17:25||2023-02-27 05:22|
|Summary||0022839: Deprecate MD5 login method and replace with BCRYPT hash|
For many years, Mantis has been using MD5 as the default and "best" hashing algorithm to store users passwords in the database.
Since 2.x requires PHP 5.5.9, we can now use the password_hash() function, which relies on the modern and safe BCRYPT hashing algorithm for better security.
This basically makes several old issues in the tracker that aimed at replacing MD5 by SHA1/SHA256 obsolete, including 0010172, 0011250 and possibly others as well.
|Tags||No tags attached.|
|related to||0010172||closed||dregad||Passwords in SHA256 using a static salt|
|related to||0011250||closed||dregad||Allow SHA1 passwords|
|has duplicate||0026085||closed||dregad||Support stronger authentication w/ schema changes|
|related to||0012957||assigned||dregad||Password stored md5-unsalted in database when LDAP authentication is enabled|
We appreciate your efforts on this project, and understand that you haven't been able to integrate this patch into the project yet. We would like to know if there is something that we can do to encourage you to find time to fix this serious issue. How do you feel about a significant bounty here: https://www.bountysource.com/issues/56540151-deprecate-md5-login-method-and-replace-with-bcrypt-hash ?
We are willing to contribute $500 USD for a released fix by the end of 1Q 2019. We would also encourage others to contribute as well. If some other mechanism works better for you, please let us know.
I'd love to see this fixed too. Could contribute at least $100 USD also.
Seems this bug got some press today: