Log message #4158514

# At Username Text
# Jul 12th 2018, 15:38 camdenbassett no, as far as I know no-one has gotten the DB. Just wanting to upgrade it before there is trouble.
# Jul 12th 2018, 15:38 ricksaccous if you assume someone did already then it's not safe because someone has the unhashed passwords anyway
# Jul 12th 2018, 15:37 ricksaccous well if someone already compromised your database, yes, if not it's fine, lol
# Jul 12th 2018, 15:36 camdenbassett I was using them as examples. Basically my main question is, is it safe to send a password through multiple hash algorithms if one of them is insecure, like md5, and others are more secure, like sha or Argon.
# Jul 12th 2018, 15:35 neon1024 Wasn’t there a shell to populate counter_cache fields?
# Jul 12th 2018, 15:35 camdenbassett and I know md5 and sha1 aren't very secure anymore :)
# Jul 12th 2018, 15:34 dereuromark That was the old 2.x docs: https://github.com/dereuromark/cakephp-shim/blob/2.x/docs/Auth.md
# Jul 12th 2018, 15:34 camdenbassett Thanks, I'll take a look at that.
# Jul 12th 2018, 15:33 ricksaccous https://book.cakephp.org/3.0/en/controllers/components/authentication.html#changing-hashing-algorithms
# Jul 12th 2018, 15:32 ricksaccous i haven't done it i just know it exists, lel
# Jul 12th 2018, 15:32 ricksaccous you can set the old method and set the new one, and it will make it secure for you
# Jul 12th 2018, 15:32 dereuromark and use a fallback hasher to upgrade since 3+ years
# Jul 12th 2018, 15:32 dereuromark you should use neither of them :slightly_smiling_face:
# Jul 12th 2018, 15:32 ricksaccous there's a cakephpway to redo password hashing
# Jul 12th 2018, 15:30 camdenbassett I just need to know if there are any advantages/disadvantages to sending a password through md5 then sha vs just through sha. I have an old old old password system that I'm trying to upgrade, and the easiest route would be to just apply one hash on top of another, but I remember reading online somewhere that that might not be very secure.
# Jul 12th 2018, 15:28 dereuromark yes
# Jul 12th 2018, 15:28 camdenbassett @dereuromark was that question directed at me?
# Jul 12th 2018, 15:28 josbeir too much code
# Jul 12th 2018, 15:27 josbeir pff i hate writing unit tests for components
# Jul 12th 2018, 15:26 dereuromark those are good defaults, and rather safe :slightly_smiling_face:
# Jul 12th 2018, 15:25 dereuromark what do you need to know/do besides what CakePHP offers out of the box?
# Jul 12th 2018, 15:25 camdenbassett Anyone know of a good irc channel to discuss the cryptographic storage of passwords?
# Jul 12th 2018, 15:24 josbeir np
# Jul 12th 2018, 15:24 okelet thanks!
# Jul 12th 2018, 15:24 okelet i will try with a migration, unmarking every time i run it
# Jul 12th 2018, 15:24 okelet yes, i know, i have some migrations
# Jul 12th 2018, 15:23 josbeir check out phinx docs
# Jul 12th 2018, 15:23 josbeir you have $this->hasTable('table'); $table->hasColumn('column'); etc..
# Jul 12th 2018, 15:21 josbeir you have methods like exists() etc
# Jul 12th 2018, 15:21 josbeir it should work ok
# Jul 12th 2018, 15:21 josbeir that has extra checks in the up/down functions
# Jul 12th 2018, 15:21 josbeir but still, all of your logic can be inside a migration class
# Jul 12th 2018, 15:20 okelet ah ok ok
# Jul 12th 2018, 15:20 josbeir bin/cake migrations rollback
# Jul 12th 2018, 15:20 josbeir well you can rollback
# Jul 12th 2018, 15:20 josbeir i dont think you can run migrations classes from a command, you can probably call the migration shell
# Jul 12th 2018, 15:19 okelet can I unmark a migration from cmd?
# Jul 12th 2018, 15:18 okelet also, if i would create a migrations every time I found a problem, i would end up with lots of migrations, that, at the end, are rubbish
# Jul 12th 2018, 15:18 josbeir you can just unmark it
# Jul 12th 2018, 15:18 okelet i would like to modify the command while I find schema problems, and run it again, with migrations, the migration would be marked as migrated and wouldn't run again
# Jul 12th 2018, 15:15 josbeir why dont you write your checking stuff in the migration itself?