https://www.zdnet.com/article/a-quarter-of-major-cmss-use-outdated-md5-as-the-default-password-hashing-scheme/

While the article is talking about the issue of using md5, it is cool to see composr listed as an important software :)

 

Right. The article, and paper it is based on, is actually wrong.

We use bcrypt. We support md5 for legacy reasons, as we can import all kinds of password hashes from other software.

I'm going to ask for a correction.

Here's the paper, for reference:
[Preprint] Evaluation of Password Hashing Schemes in Open Source Web Platforms

My letter to the authors…

Hello,

I am the lead developer for Composr CMS, cited in your paper.

Composr is featured and listed as using md5 encryption, with a minimum password length of 1 character.

This is incorrect, for the following reasons:

• Composr uses bcrypt encryption, via the password_hash/password_verify PHP functions. This is something PHP is designed to automatically upgrade as best practices change.
• The strength of the bcrypt encryption is adjustable via a configuration option called "Cryptographic ratchet”. This allows it to be adjusted based on the CPU capabilities of the server hosting the site (for example).
• Composr can use md5 encryption for legacy accounts - this is a necessary feature as we supported imported user data with old password coding schemes outside our control. Md5 encryption for new passwords cannot be selected by the Composr admin via any visible UI option.
• The default minimum password length is 4 characters. We are now going to double this, because 4 is itself not enough, but definitely not 1!
• We also include a password strength indicator on the registration form.

For a sanity check I have just verified the above claims by checking the code, and actual testing.

For very old versions of PHP - older than 5.5 (2013), we do fall back to md5. Anything older than PHP 7.1 is no longer supported by the PHP developers and considered insecure.

I have reached out to ZDNet who cited your paper, to have it corrected.
Please also post a correction for your paper that is easily accessible to anyone who will read it — or have the original paper corrected wherever distributed, if possible.

I do expect and embrace revelation of actual holes in Composr - which there have been in the past on occasion. However, incorrect information about our product is a liability to us and undermines our hard work on Open Source systems. I appreciate your work trying to improve security, but it needs to be accurate.

I have seen SMF and MyBB both also have similar issues with your paper.

Regards,
Chris

Updated on June 18: After the publication of this article, the developer teams from Simple Machines Forum, MyBB, and Composr told ZDNet that their CMSs have moved on to more advanced hashing schemes as opposed to the ones analyzed by the research team. All three now use bcrypt.

Composr was using bcrypt anyway, not sure about the other 2 ;)