Why are you not using bcrypt? I know you have set your minimum php version ot 5.3.0, but It would be nice to see it bumped up to 5.5. 5.3.0 is also EOL. If someone got access to a database they could go to hashkiller.co.uk (or use hashcat) and literally copy/paste to get passwords. It's sad to see sha-1 instead of some kind of actual encryption.
It would be nice to be able to disable the debug info for the admin (or at least move it to a separate page).
Is there any reason you are using gettext instead of an array for language files? If you ever need to change the text you have to generate a mo file from the po with either poedit or an online converter, but with an array you can just change the text and save and it's instant.
Last edited by Boonie (2016-04-03 22:25:41)
I think that we prefered not to use bcrypt because not all web providers include it in their offers, but I let adaur confirm that The debug infos can be disabled by setting the 'debug' param of $feather_settings to false in index.php file, but a way to do it in the admin panel would be easier indeed. And for gettext, it seems faster than plain PHP arrays since .mo files are compiled.
Thanks for your report !
If you don't want use bcrypt, you might want to consider pbkdf2. There really is no reason 5.3 should be used anyway, it has been EOL since 2014.
For gettext, I see where you are coming from that is is faster, but that is because its compiled binary. It really makes no sense to use compiled binary in a web platform, and the speed is very negligible.
Actually FeatherBB already needs at least PHP 5.5 as indicated in the composer.json file, the readme.md and featherbb.org site will be updated when we publish the next beta.
Could you detail why compiled binary doesn't fit with web platforms ? Gettext is used in several PHP frameworks, and is mentionned in articles about websites internationalization.
And now that all raw PHP files have been transformed into PO/MO files, I don't think we'll go back anyway.
Hi there, thanks for your interest.
Actually, FluxBB as well as FeatherBB had plain arrays files, but we changed to gettext since it is easier for users willing to translate to open poedit and just do their thing. This is how WordPress works, I think a large community of translators are now used to this.
As for encryption, using this library https://github.com/ircmaxell/password_compat may be a good idea to ensure that the encryption level is sufficient.
Passwords are now stored and verified using PHP 5.5 native functions => https://github.com/featherbb/featherbb/commit/7caf2373bc5d8e5cf5c47e106532f385273dd0e1
Thanks for your suggestions!
[ Generated in 0.022779 seconds, 9 queries executed - Memory usage: 1.83 MiB (Peak: 1.87 MiB) ]