Warning, technical information ahead!
Update your PHP version, I recommend 7.2.*. It has major performance improvements.
Also, PHP <= 5.6 are no longer going to be receiving security patches.
There are many reasons why you should be using recent stable releases.
And use:
```php
password_hash($password, PASSWORD_DEFAULT);
```
To be hashing our passwords/passphrases properly. And if I may ask Kim, how are you storing our passwords/passphrases currently?
Update your PHP version, I recommend 7.2.*. It has major performance improvements.
Also, PHP <= 5.6 are no longer going to be receiving security patches.
There are many reasons why you should be using recent stable releases.
And use:
```php
password_hash($password, PASSWORD_DEFAULT);
```
To be hashing our passwords/passphrases properly. And if I may ask Kim, how are you storing our passwords/passphrases currently?
Another good idea would be to open-source your project, others could contribute, both in features and security.
hazor12 wrote:
Warning, technical information ahead!
Update your PHP version, I recommend 7.2.*. It has major performance improvements.
Update your PHP version, I recommend 7.2.*. It has major performance improvements.
I'm already using this for the rebuild. This is part of why we're rebuilding.
Quote:
To be hashing our passwords/passphrases properly. And if I may ask Kim, how are you storing our passwords/passphrases currently?
Passwords are one way encrypted and always have been, and that's really all I'm going to be publishing about our encryption methods.
Why not publish which algorithm you're using? It's fine to say which you are using, such as Bcrypt, Scrypt, Argon2 variation, PBKDF2, etc.
You should be using Argon2, Scrypt or Bcrypt.
Knowing which algorithm you use can guarantee that you're properly hashing our passwords. Knowing which algorithm you use doesn't hurt at all. It's by design.
I understand if you're keen on keeping your code and algorithms secret. But make sure you use recommended standards.
Just do not be using something like:
```php
hash('sha512', $password);
```
It's not effective at protecting passwords, in regards of the `hash` function.
I'm sure you're using recommended standards(at least I hope), but many legacy projects still get it wrong. Even some big companies like Adobe have messed up badly, implementing their own encryption algorithm. Which is bad.
I know this isn't a security critical application, but these days our data is often being mishandled, sold, etc.
Please do not take this as hostility, I know I came out of the blue.
I've been interested and working with security for a while, and I really do enjoy your roleplaying tool. I think I thought I'd should give you some input on securing your application.
And if you ever open-sourced your application on say, GitHub I would gladly contribute.
I recommend you check out this blog for building secure PHP applications. Make sure to pick through their archives.
On a note, I think you should be implementing TOTP based MFA, and recommending good password practices such as diceware passphrases and password managers(BitWarden) when logging in, signing up, or changing credentials.
It's imperative that we as developers push our users to take steps forward to securing their accounts and data. While it may not be as critical here, if we can help teach users, we should. Because they can use the best practices elsewhere, like banking. That's critical.
I mean well, and I want a better experience for the users of RPR. But if you can aid in educating users about securing their data, that'd be wonderful. All you have to do is recommend good passphrase practices, and use of password managers.
Recommend MFA if they don't have it turned on, etc. Of course only recommend it when setting up accounts, logging in, changing credentials, etc. We wouldn't want to annoy them.
You should be using Argon2, Scrypt or Bcrypt.
Knowing which algorithm you use can guarantee that you're properly hashing our passwords. Knowing which algorithm you use doesn't hurt at all. It's by design.
I understand if you're keen on keeping your code and algorithms secret. But make sure you use recommended standards.
Just do not be using something like:
```php
hash('sha512', $password);
```
It's not effective at protecting passwords, in regards of the `hash` function.
I'm sure you're using recommended standards(at least I hope), but many legacy projects still get it wrong. Even some big companies like Adobe have messed up badly, implementing their own encryption algorithm. Which is bad.
I know this isn't a security critical application, but these days our data is often being mishandled, sold, etc.
Please do not take this as hostility, I know I came out of the blue.
I've been interested and working with security for a while, and I really do enjoy your roleplaying tool. I think I thought I'd should give you some input on securing your application.
And if you ever open-sourced your application on say, GitHub I would gladly contribute.
I recommend you check out this blog for building secure PHP applications. Make sure to pick through their archives.
On a note, I think you should be implementing TOTP based MFA, and recommending good password practices such as diceware passphrases and password managers(BitWarden) when logging in, signing up, or changing credentials.
It's imperative that we as developers push our users to take steps forward to securing their accounts and data. While it may not be as critical here, if we can help teach users, we should. Because they can use the best practices elsewhere, like banking. That's critical.
I mean well, and I want a better experience for the users of RPR. But if you can aid in educating users about securing their data, that'd be wonderful. All you have to do is recommend good passphrase practices, and use of password managers.
Recommend MFA if they don't have it turned on, etc. Of course only recommend it when setting up accounts, logging in, changing credentials, etc. We wouldn't want to annoy them.
