Proposal:
mirror into the coding standards this standard of using only Drupal's hash helper functions when a hash is needed:
https://www.drupal.org/docs/7/security/writing-secure-code-0/use-of-hash... →
The older functions are not significantly faster and offer less collision resistance, which is a key element of hash function quality. If there are (atypical and uncommon) cases where code actually needs a shorter hash string, it is better to truncate a sha-2 hash instead of using one of the deprecated functions:
http://crypto.stackexchange.com/questions/9435/is-truncating-a-sha512-ha...
compared to using sha-1, "truncating one of the SHA-2 functions to 160 bits is around 2^20 times stronger when it comes to collision resistance."
Note that 160 bits means taking 27 characters of the base64 encoded output. The absolute minimum substring length used should be 21 chars (126 bits) of base 64 output. Any use of a substring should be clearly justified in code comments.
Basically - it should be a coding standards violation and flagged automatically if people are using a different method to hash values.
related current core patch: #2569119: Use Crypt::hashBase64(), not hash('crc32b') or sha1 for placeholder tokens →
Prior coding standard issue for Core that's too meandering: #2268875: [Policy, no patch] Using md5()/sha1()/crc32b in Drupal code →
Needs work
Coding Standards
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Removing assignment since this hasn't been worked on for over 2 years.
There has been no work here in 8 years, usually indicative of no interest in a change.
If there is interest then complete the issue summary thanks. Otherwise this issue may be closed after 3 months.