Use SHA256 for __elgg_session
Changed md5 hash to sha256.
Who came to the idea to explicitly use md5 for hashing? It's even referenced in the whitpaper. I don't think I need to tell why md5 is insecure
I was a little surprised when, I saw that tbh. After all it is a deacentralized social network.
md5 is used here as it is just very lightweight unique id for the server side session. There's not really any security issue with using md5 here as there aren't really any attack vectors such as brute force attacks that would really do anything.
Passwords are hashed with bcrypt.
Fair enough
closed
Please register or sign in to reply