Remove support for deprecated user password hashes

We should remove support for sha1 passwords in

core/system/modules/core/library/Contao/User.php

Lines 383 to 388 in 4539b50

    
           // Handle old sha1() passwords with an optional salt 
        
           if (preg_match('/^[a-f0-9]{40}(:[a-f0-9]{23})?$/', $this->password)) 
        
           { 
        
           	list($strPassword, $strSalt) = explode(':', $this->password); 
        
           	$blnAuthenticated = ($strPassword === sha1($strSalt . \Input::postUnsafeRaw('password'))); 
        
           }

If someone gets read access to the database, they could brute-force the password of a backend user that has still a sha1 password hash. With the password they could then overtake the server.

Removing support shouldn’t be a problem as it only affects users that didn’t log in for a very long time.

I have created a PR for Contao 4.6 here: contao/core-bundle#1602

Fixed in d11a21b.

	// Handle old sha1() passwords with an optional salt
	if (preg_match('/^[a-f0-9]{40}(:[a-f0-9]{23})?$/', $this->password))
	{
	list($strPassword, $strSalt) = explode(':', $this->password);
	$blnAuthenticated = ($strPassword === sha1($strSalt . \Input::postUnsafeRaw('password')));
	}