Do not use unsalted SHA1 for password hash

[iggyvolz]

futurebb/app_resources/includes/functions.php

Line 163 in f91c238

return sha1($text);

At very least use sha256. Better yet - use the password_hash and password_verify functions (PHP 5.5+, all the supported versions of PHP, back to 5.3.7 with https://github.com/ircmaxell/password_compat) which computes a salt for you and puts it in the database.

[iggyvolz]

login_hash will also need to be expanded to fit the full sha256 hash - var_char(100) instead of var_char(50) worked for me.

[jacob-g]

The issue with this is that it will require converting passwords in all existing versions (it's not impossible, but if I'm going to do that, I want to make sure I choose the best algorithm).

[iggyvolz]

If you're converting from sha1 to sha256 you could do:

if(strlen($dbhash) === 40)
{
    // Check with sha1
    // Write sha256 hash to DB
}
else
{
    // Normal sha256 check
}

Or if you're moving to password_hash, then check if the first char is a $ (then it is a blowcrypt signature).

At this point, blowcrypt (the default password_hash algorithm) is the best thing out there as far as PHP goes. Argon2 is another algorithm that's more secure (i.e. validates the password beyond 40 characters), but that won't be in PHP until 7.2 (this fall). In any event - it's impossible to "convert" the passwords with an upgrade operation short of just cracking the passwords and then re-hashing them. You would have to do it at runtime as the user logs in - or the simpler (yet less user-friendly) way is to just invalidate all sha1 passwords and force them to reset their password.