Composr mentioned in this article

Post

Posted
Rating:
#5850 (In Topic #1391)
Avatar
Standard member
ironfeather is in the usergroup ‘Well-settled’

A quarter of major CMSs use outdated MD5 as the default password hashing scheme | ZDNet

While the article is talking about the issue of using md5, it is cool to see composr listed as an important software :)

 

———–
Publisher of IronFeather Journal since 1987.  Host of KGNU Colorado Radio for 20 years. 
Currently in Japan & decided to focus on Composr as my number one CMS.
Composr site for community of Hokkaido:  Nandalow.com
Composr site for my freelance work: Futurecode.jp
My Compsr edits : 
http://ironfeather.com/bbs/viewtopic.php?f=12&t=2862
Twitter: https://twitter.com/futurecodejp

 
Online now: No Back to the top

Post

Posted
Rating:
Item has a rating of 5 (Liked by Adam)
#5854
Avatar
Site director
Chris Graham is in the usergroup ‘Administrators’
Right. The article, and paper it is based on, is actually wrong.

We use bcrypt. We support md5 for legacy reasons, as we can import all kinds of password hashes from other software.

I'm going to ask for a correction.


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Follow me on Minds (where I am most active). Support me on Patreon

Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Online now: Yes Back to the top

Post

Posted
Rating:
#5855
Avatar
Site director
Chris Graham is in the usergroup ‘Administrators’


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Follow me on Minds (where I am most active). Support me on Patreon

Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Online now: Yes Back to the top

Post

Posted
Rating:
Item has a rating of 5 (Liked by Adam)
#5856
Avatar
Site director
Chris Graham is in the usergroup ‘Administrators’
My letter to the authors…

Hello,

I am the lead developer for Composr CMS, cited in your paper.

Composr is featured and listed as using md5 encryption, with a minimum password length of 1 character.

This is incorrect, for the following reasons:
  • Composr uses bcrypt encryption, via the password_hash/password_verify PHP functions. This is something PHP is designed to automatically upgrade as best practices change.
  • The strength of the bcrypt encryption is adjustable via a configuration option called "Cryptographic ratchet”. This allows it to be adjusted based on the CPU capabilities of the server hosting the site (for example).
  • Composr can use md5 encryption for legacy accounts - this is a necessary feature as we supported imported user data with old password coding schemes outside our control. Md5 encryption for new passwords cannot be selected by the Composr admin via any visible UI option.
  • The default minimum password length is 4 characters. We are now going to double this, because 4 is itself not enough, but definitely not 1!
  • We also include a password strength indicator on the registration form.

For a sanity check I have just verified the above claims by checking the code, and actual testing.

For very old versions of PHP - older than 5.5 (2013), we do fall back to md5. Anything older than PHP 7.1 is no longer supported by the PHP developers and considered insecure.

I have reached out to ZDNet who cited your paper, to have it corrected.
Please also post a correction for your paper that is easily accessible to anyone who will read it — or have the original paper corrected wherever distributed, if possible.

I do expect and embrace revelation of actual holes in Composr - which there have been in the past on occasion. However, incorrect information about our product is a liability to us and undermines our hard work on Open Source systems. I appreciate your work trying to improve security, but it needs to be accurate.

I have seen SMF and MyBB both also have similar issues with your paper.

Regards,
Chris


Become a fan of Composr on Facebook or add me as a friend. Add me on on Twitter. Follow me on Minds (where I am most active). Support me on Patreon

Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about Composr whenever you see the opportunity or support me on Patreon.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying Composr on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Online now: Yes Back to the top

Post

Posted
Rating:
#5871
Avatar
Site staff
Adam is in the usergroup ‘Super-moderators’
Updated on June 18: After the publication of this article, the developer teams from Simple Machines Forum, MyBB, and Composr told ZDNet that their CMSs have moved on to more advanced hashing schemes as opposed to the ones analyzed by the research team. All three now use bcrypt.

Composr was using bcrypt anyway, not sure about the other 2 ;)
Online now: No Back to the top
1 guest and 0 members have just viewed this.

Statistics

Users online:

babu, gabriel58, Philip, Manu, MVLipwig, VHurin, John Connor, Salman, deepu_ms, Chris Graham, mrscienceteacher

Forum statistics:
  • 1,174 topics, 5,538 posts, 6,745 members
  • Our newest member is Sophia_Williams
Birthdays:
Back to Top