Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Development CodeIgniter 3.x Can i use this Ci Starter. Is it safe?
Can i use this Ci Starter. Is it safe?
  • Offline Narf
    Me
  • *******
  • Posts: 1,589
    Threads: 1
    Joined: Oct 2014
    Reputation: 121
#9
03-05-2015, 11:35 AM

I took a quick look at it, looking for the first security-related thing that I can find ... This is not safe:

https://github.com/ivantcholakov/starter...ssword.php

Passwords must be hashed, not encrypted.

Encryption is a two-way process and anybody who may gain access to the encryption key will also have immediate access to all passwords processed by that library. This also means that the website owner has access to all users' passwords in plain-text.
Hashing on the other hand, is a one-way process and using an appropriate algorithm like BCrypt guarantees that the user who supplied the password is the only one who will ever know it.

@ivantcholakov

It seems to me that you took my last criticism towards you way too hard (you've been practically silent on github since) ... it wasn't with bad intentions. So now I want to explicitly say that this now is not with any malice either.

IIRC I've already criticized the GibberishAES library in another thread here ... I don't remember what it was about, but you've obviously not only ignored my comments, but you're also using it in an extremely inappropriate way.
I'm all fine if you just disagree with me on one thing and do it your own way for yourself, but when it comes to security - please, really, if you disagree with me - ask a security expert. What you did here can be a real disaster ... if you're already using this solution, I strongly advise you to replace it immediately.
Reply


Messages In This Thread
Can i use this Ci Starter. Is it safe? - by Vimal - 03-04-2015, 10:12 PM
RE: Can i use this Ci Starter. Is it safe? - by Narf - 03-05-2015, 11:35 AM



Theme © iAndrew 2016 - Forum software by © MyBB