Greetings to all,
Not sure how openacs stores passwords these days. Does it still use sha1 with a salt?
"In this context, secure hashing functions like SHA have a critical flaw for password hashing: they are designed to be fast. A modern commodity CPU can generate millions of SHA256 hashes per second. Specialized GPU clusters allow for calculating hashes at a rate of billions per second."
That is from an article by Dropbox: How Dropbox securely stores your passwords.
If openacs is still using sha1 (or any sha2 hashing function), it can be migrated to use bcrypt as in the article by dropbox i.e. apply bcrypt on top of the generated hash.
Here is the git repo for bcrypt-tcl:
bcrypt-tcl
Linux and macOS are supported.
Any and all feedback is welcome.
PS. I understand that the trend is to use oauth2 to outsource identity management but since openacs still has passwords it might as well store them securely.