Hi all, I got an email from one of my users which said:
Just got a phishing scam email that had the password I use on this site and only this site, trying to extort money via BitCoin. If there is anything y'all can do to upgrade the security on the passwords and email addresses used here, it'd be appreciated.
Wondering if anyone else has seen anything similar, and if there really is anything that I could try to increase security. I’m guessing not, but thought it was worth it to ask! Thanks much.
Passwords are stored as md5-hash, which is terrible because they can rather easily be reverted given enough time and compute power.
Still, this requires somebody having gained access to the DB to get the hash sting or having been able to man-in-the-middle on the connection from the user to the webserver to get the password straight away. Those two things are independent from eFiction 3, which doesn't make the md5 thing any better.
It would be easy to improve this to SHA1 or even php password functionality, but I am not investing any more time into 3.x (apart from fixes that are required due to PHP changes). If anybody has a fix for this issue, I will gladly merge it.