Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+8 votes
in Q2A Core by

Issue #1: Passwords are sent in plaintext via email.

I realize that passwords are salted and hashed in the database, and the password is only sent right when they register. But it is still a security issue to send passwords via email as it's not secure. So the password should be removed from the welcome emails. Users can reset it if they forget it. See https://twitter.com/troyhunt/status/229545123913015297 for one source.

Issue #2: Passwords are hashed using SHA-1

SHA-1 is now believed to be insecure and too easy to brute-force. The current recommendation is to use bcrypt. Bonus: the salt is part of the hash you get back so you can store it in one field instead of separate password & salt fields. See http://www.php.net/manual/en/faq.passwords.php

Q2A version: 1.6.2
"Change the appropriate part in core and push it via github."

PS: I hope this phrase could become reality ;)

1 Answer

+4 votes
Thanks. I know sending passwords via email is insecure, but it's also very convenient for users. Considering what sort of application Q2A is, there's not really all that much motivation for someone to steal someone else's account. But I guess the concern is more that people share passwords across multiple services. So I think you're right and will remove the password from the welcome emails. They can still be sent when someone resets their password, but in that case it will be a randomly-generated one, so it will not be shared with any other services.

As for password hashing, the problem is using something that is available commonly across all versions of PHP and all systems. Unfortunately as far as I can tell this is not the case for bcrypt. I am open to other suggestions, though this would be a quite a delicate change, since Q2A would still need to support the old hashing scheme, and then migrate accounts across to the new hashing scheme after users log in for the first time. So suitable for a major release only.
The Laravel framework utilizes this compatibility script for bcrypt: https://github.com/ircmaxell/password_compat
But it seems that's only available to 5.3+ so unless you're going to update your version support it's a no-go.