the only TRUE way to secure a server is to unplug it
Member
the only TRUE way to secure a server is to unplug it
Member
I would like to second the replacement of md5 just because it's broken and "fast". For the guy who was too lazy to Google why, here's a link by a cryptographer: http://chargen.matasano.com/chargen/...w-about-s.html
It's only 1-2 function calls by WHMCS team to increase security. Saying "secure your service" -- while good advice -- does not mean that we should be using outdated technology. It's like saying "stick with PHP4 and just secure your server, you're good" when the whole world has moved to PHP5, etc. (very loose analogy, sorry, but you get the point).
Member
Wouldn't this require all users to change their password in every WHMCS system on the web if this was changed (assuming an upgrade)? I doubt that would be good for business on WHMCS's part, probably why it hasn't been changed already..
Member
It would be a optional setting (like it already is for md5 or encryption) that would be set by default on new installs to the stronger version.Originally Posted by daz29
Member
It could easily be implemented for new registrations and password updates from the new version release date.
In order to bring all passwords in line clients could be prompted to update their password at next login which would move them from md5 to sha. It doesn't have to be an all or nothing implementation.
Member
+1
Blows my mind every time I hear a suggestion to increase the security of the system and someone counters with its a waste of time if you just 'secure your server'. Security requires a defense in depth approach. You don't have to be an infosec pro to get this, it's just common sense.
