The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

BCrypt Password Encryption

matthall28matthall28 Member
in Bugs & Feature Requests edited November 2014
Hey,

I was wondering if there was any chance of BCrypt being added as a password encryption option?

It's very common among open source software (Laravel in particular) and is implemented in all major languages (Ruby, Python, C, C#, Perl, PHP, Java)
Tagged:
Comments
  • fc_adamfc_adam FoxyCart Team
    @matthall28,

    Good request. I'll create a ticket for us to look at adding that in as a password encryption option for stores. Did you have a timeframe of when you would be looking to make use of it for a production store?
  • @fc_admin

    Thanks! It's a great encryption method and should be very easy for you guys to handle, near identical to SHA etc.

    Looking to use it in production the next few weeks, but if it's not going to happen in that timeline that's no problem, we can just use another encryption method!
  • fc_adamfc_adam FoxyCart Team
    @matthall28,

    No worries - thanks for that. I've added this thread to the ticket so we'll be sure to update you when support is added.
  • lukeluke FoxyCart Team
    Hello @matthall28. Do you need this specifically for Laravel or some other framework? BCrypt is just an algorithm, but the implementation may be different per framework/library/approach. Do you need us to create hashes which are compatible with Laravel specifically? If so, can you point us in the direction of their source code so we can take a look? Each implementation has a different approach as far as how they calulcate a salt and whether or not it's a prefix, postfix or some other variation.
  • Hey @luke

    Here is the Laravel repo for their hashing code
    https://github.com/illuminate/hashing

    $hash = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));

    We would need to set the cost (default 10) and there isn't anything else fancy about it, from the looks of it!
  • @luke or @fc_adam

    Has FoxyCart decided to implement this feature? If so, is there a rough ETA? I need to make a decision soon about whether I want to implement this BCrypt or SHA1

    Thanks!
  • lukeluke FoxyCart Team
    Hey @matthall28. Thanks for following up. We looked into it, but didn't implement anything prior to the holiday season. We'll get back to you with more details when we have them.
  • No problem @luke ! Thanks for the quick reply
  • +1 for BCrypt compatibility

    Using the native PHP (5.5+) password hashing API (http://php.net/manual/en/book.password.php) or compatibility library (https://github.com/ircmaxell/password_compat) is trivial and saves new users from resorting to poor algorithms and insecure implementations. https://forum.foxycart.com/discussion/8985/customer-account-and-password-confusion makes me cringe in this regard...
  • fc_adamfc_adam FoxyCart Team
    @cheesypoof,

    Thanks for adding your thoughts. It's definitely something we're looking to add as soon as we're able. I'll include your notes on our ticket.
  • +1 for BCrypt
  • brettbrett FoxyCart Team
    Thanks @David_FC
    We definitely have this on our radar. We'll update here when we get it added and released.
  • fc_adamfc_adam FoxyCart Team
    @matthall28, @cheesypoof, @David_FC,

    A quick update to let you know that bcrypt support has been added to version 2.0. Thanks for requesting this feature and for your patience while we added support.
Sign In or Register to comment.