Hi there.
Is there a reason why kirby is not working with salted passwords? Or did I miss this in the code? I like the way wordpress is working with salts, is there a possibility to implement something like this in kirby?
Thanks in advance for your answers!
Regards,
Patrick
IIRC Kirby salts and hashes passwords using the blowfish cipher when creating and updating users with the Password class in the toolkit. The salt is randomly generated.
I’m not really sure if this answers your question.
public static function hash($plaintext) {
$salt = substr(str_replace('+', '.', base64_encode(sha1(str::random(), true))), 0, 22);
return crypt($plaintext, '$2a$10$' . $salt);
}
Ok, thanks for copying the function. Indeed I missed this one in the code.
So, for my understanding:
$plaintext is the input of the plain password and gets combined with the salt and both gets hashed by the natural php function crypt (http://php.net/manual/en/function.crypt.php).
This function will be fired when a new user is created or gets updated.
Correct?
Exactly 
(and some more characters)
Ok, so now here comes my stupid question:
For the login process the system needs to build the same crypted code again from the plain input to compare the stored key with the login created key. I’m a little bit confused how the login can compare a randomized key?
If you hash a password both when it is first created and then again if it is entered for login purposes, the result will always be the same (this is called “deterministic”).
Alright, thanks for your answers! (and patience )