Improve passwd security
A couple of things to be done to improve pfSense passwd:
- Change hash from MD5 to SHA512 or blowfish
- Start to create a salt to crypt() calls
#8 Updated by Jim Pingle almost 4 years ago
- Status changed from Feedback to Resolved
One place was missed (swapping the password for bcrypt-hash in /conf.default/config.xml), I pushed a correction for that. It's working well otherwise. Existing users are OK, when their passwords are changed their hash is converted to bcrypt in the config and in passwd, old hashes are removed, and they can still login to the GUI and over SSH. Looking through the repo I can't find any other trace of the old hash so I think we're set.