2018-09-07, 06:49 AM
(2018-09-07, 02:52 AM)W13 Wrote: [ -> ]if (PHP < 5.3) {
use md5
}else{
use proper encryption to keep the world safe
}
...to keep stupid users safe, more like. Strong hashing is mainly for users who insist using same password everywhere. Which you should never do since all it takes one rogue site owner to capture all your cleartext passwords...
If you use some kind of password manager, generate a random password for each site, it doesn't matter how that site hashes the passwords since it can't be used anywhere else anyway.
Also "proper encryption" is just the same old hashing, just with more iteration and ram usage, in hopes that will somehow help fend off attackers. But in the bitcoin age where dedicated hardware is built just to push an insane amount of hashes and tons of ram, given a determined attacker, it'll probably never be enough.
Which means that even with this change, users still have to use a random password for each site to be safe.
It's a good change to make, especially when new PHP version makes this easy, but it's far removed from saving the world level.