summaryrefslogtreecommitdiff
path: root/lib/Multi/API.pm
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2015-11-01 10:37:56 +0100
committerYorhel <git@yorhel.nl>2015-11-01 10:38:43 +0100
commit3de8d24697511fe324cae2526eb65d6aafb5968b (patch)
treeb34f6a3b91352d9f753d9d3e3ae0e1a93acc758c /lib/Multi/API.pm
parent4b1807a58912ff0b4542063071e072ccf53fd1bd (diff)
Removed support for sha256-hashed passwords
They had to be deleted from the database at some point, otherwise we still have thousands of easily-cracked password hashes in the database. Note that I could have opted to use scrypt on top of the sha256 hashes so the passwords would remain secure without needing to reset everything, but doing that after one year of switching to scrypt is likely not worth it. Everyone who still actively uses his account has already been converted to scrypt, everyone else should just reset their password whevener they decide to come back.
Diffstat (limited to 'lib/Multi/API.pm')
-rw-r--r--lib/Multi/API.pm6
1 files changed, 1 insertions, 5 deletions
diff --git a/lib/Multi/API.pm b/lib/Multi/API.pm
index f75ea4f9..1ed62682 100644
--- a/lib/Multi/API.pm
+++ b/lib/Multi/API.pm
@@ -11,7 +11,6 @@ use Multi::Core;
use AnyEvent::Socket;
use AnyEvent::Handle;
use POE::Filter::VNDBAPI 'encode_filters';
-use Digest::SHA 'sha256';
use Encode 'encode_utf8', 'decode_utf8';
use Crypt::ScryptKDF 'scrypt_raw';;
use VNDBUtil 'normalize_query', 'norm_ip';
@@ -277,10 +276,7 @@ sub login_verify {
my $uid = $res->value(0,0);
my $accepted = 0;
- if(length $passwd == 41) { # Old sha256
- my $salt = substr $passwd, 0, 9;
- $accepted = sha256($VNDB::S{global_salt}.encode_utf8($arg->{password}).$salt) eq substr $passwd, 9;
- } elsif(length $passwd == 46) { # New scrypt
+ if(length $passwd == 46) { # scrypt
my($N, $r, $p, $salt, $hash) = unpack 'NCCa8a*', $passwd;
$accepted = $hash eq scrypt_raw($arg->{password}, $VNDB::S{scrypt_salt} . $salt, $N, $r, $p, 32);
} else {