I have a ? about this plugin.

Viewing 1 replies (of 1 total)

  • I may not be qualified to answer this, but looking at the JS code on the client side, it seems both are being used:

    var shaObj = new jsSHA(hex_md5(password)+'********************************',"ASCII");

    It looks to me as if the plaintext password is being hashed using hex_md5(), and then salted with what seems to be the session ID (the **** here…). The resulting string is then being fed to jsSHA(), which generates a unique, session-specific (salted..) SHA-256 hash.

    So I’d say both are needed and the initial call to hex_md5() is just there to further harden the final hash.

    I’m not really into the details of cryptography, so that’s just me guessing.

    But maybe the developer could switch over to SHA-512? That’d be nice.

Viewing 1 replies (of 1 total)
  • The topic ‘I have a ? about this plugin.’ is closed to new replies.