what encryption algorithm does Joomla 3.8 use?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
ThePiston
Joomla! Guru
Joomla! Guru
Posts: 639
Joined: Mon Nov 07, 2005 3:45 am
Contact:

what encryption algorithm does Joomla 3.8 use?

Post by ThePiston » Fri Jul 20, 2018 11:30 am

Got a user who's security-minded and didn't like that Joomla was sending out clear text passwords. I've turned that of but now he's asking what encryption method Joomla uses. Thanks.

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3565
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: what encryption algorithm does Joomla 3.8 use?

Post by abernyte » Fri Jul 20, 2018 2:55 pm

A little off the reservation for me but... php7.1 or less then probably ext/mcrypt or ext/sodium - php7.2 and onward ext/sodium. I think the ext/sodium libraries are available in J3.8 as mcrypt was removed after php7.1.
Someone far cleverer than I will undoubtedly give us the definitive answer.
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain

mistertecho
I've been banned!
Posts: 2
Joined: Thu Aug 23, 2018 10:49 pm

Re: what encryption algorithm does Joomla 3.8 use?

Post by mistertecho » Thu Aug 23, 2018 10:52 pm

I can think of at least one major problem with having a hashing algorithm automatically selected. Let's say that a user select SHA512 for his site and wants to transfer it from Server A to Server B. Server B does not have any cryptographic library installed, so it is limited to using MD5. Result: all users are lost, because their passwords are unrecoverable. This is not very difficult to happen, especially if you move between low-cost shared hosts or from live to local (have you observed that hash and mcrypt are turned OFF by default on most major AMP packages?). I know that users should know better if we document this and I know that they can work around it (except when they move from one host to another) by following instructions but, honestly, do you seriously believe that any user ever read the fine manual? Not one.

I would make this an option, not an automatic action, with a big fat warning stating that this may cause user login issues if the server configuration changes or the site is transferred to a different server. Therefore, if it breaks, the user has assumed full responsibility for his actions and will refrain from affectionate remarks of the "Joomla! sucks because it lost my users"

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11715
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: what encryption algorithm does Joomla 3.8 use?

Post by brian » Fri Aug 24, 2018 6:57 am

If that had any relevance to joomla it would be interesting
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Post Reply

Return to “Security in Joomla! 3.x”