[Bug 28419] Replace MD5 password hashing with WHIRLPOOL

Fri, 30 Mar 2012 14:05:03 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=28419

--- Comment #30 from Daniel Friesen <mediawiki-b...@nadir-seen-fire.com> 
2012-03-30 21:04:59 UTC ---
What are you talking about?

The use of statics seams perfectly in line with the way we use them in other
places of core. Just look at SpecialPage, SpecialPageFactor, Html, Linker,
MWCryptRand, etc...

The password system was designed that way to simplify the implementation of
common password types while remaining flexible enough for implementations that
don't follow the common : pattern to be implemented.

Additionally I kept in mind the fact that we are going to want to be able to
setup and teardown these classes easily so that we can add unit tests of this
password system to ensure that there are never any regressions that suddenly
cause all passwords to be invalid, or even worse, allow anyone to log into any
account using any password.

A simple 'FOO' type that uses sha256 and a hmac can be implemented with just a
little bit of code:
class Password_TypeFOO extends BasePasswordType {

  protected function run( $params, $password ) {
    list( $salt ) = self::params( $params, 1 );
    return hash_hmac( 'sha256', $password, $salt );
  }

  protected function cryptParams() {
    $salt = MWCryptRand::generateHex( 8 );
    return array( $salt );
  }

}

While at the same time one that uses crypt() which doesn't follow our patterns
can also be implemented simply.
class Password_TypeCRYPT implements PasswordType {

  public function getName() { return 'CRYPT'; }

  public function crypt( $password ) {
    return crypt( $password );
  }

  public function compare( $data, $password ) {
    return Status::newGood( crypt( $password, $data ) === $data );
  }

  public function isPreferredFormat() { return true; }

}

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to