Am 16.04.21 um 20:31 schrieb Justin Capella via arch-general: > Can't help but think that if there is a length limit to a password it is > plaintext in the database.
Good catch, but no: https://github.com/Flyspray/flyspray/blob/master/scripts/authenticate.php > Latest commit 1528f9d on 2 Sep 2019 > # upgrade from unsalted md5 or unsalted sha1 or unsalted sha512 to better > if($conf['general']['passwdcrypt']=='argon2i'){ > $newhash=password_hash($password, PASSWORD_ARGON2I); > }else{ > $cryptoptions=array('cost'=>12); > $newhash=password_hash($password, PASSWORD_BCRYPT, $cryptoptions); > } > # save the new hash > $db->query("UPDATE {users} SET user_pass=? WHERE user_id=?", array($newhash, > $user_id));
