Last modified: 2014-07-30 20:51:40 UTC
Created attachment 16000 [details] Changes includes/User.php Using md5() for passwords is risky. I've attached a backwards compatible patch to support password_hash() and password_verify().
Created attachment 16001 [details] Small corrections
I'm submitting the patches here instead of git because: $ git push Username for 'https://gerrit.wikimedia.org': scott@arciszewski.me Password for 'https://scott@arciszewski.me@gerrit.wikimedia.org': fatal: Authentication failed for 'https://gerrit.wikimedia.org/r/p/mediawiki/cor e.git/'
Hi Scott, The discussion about this has been going on for a long time, and should be resolved with Gerrit change #77645. There was more acceptance of pbkdf2 instead of bcrypt, but bcrypt is an easy option to configure. Thanks for being eager to contribute! You need to use your gerrit username instead of your email address when you submit the patch. You can also use https://tools.wmflabs.org/gerrit-patch-uploader/. *** This bug has been marked as a duplicate of bug 28419 ***
Whoops, a search for MD5 didn't return any results. I'm not sure why. :(
Scott, for future patches, there are instructions for getting started with Gerrit at https://www.mediawiki.org/wiki/Gerrit/Getting_started