Jump to:

17452 Posts in 4473 Topics by 1971 members

Archive

SilverStripe Forums » Archive » Setting Security it use sha1 but no salt.

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Page: 1
Go to End
Author Topic: 2606 Views
  • Josh
    Avatar
    SilverStripe Developer
    65 Posts

    Setting Security it use sha1 but no salt. Link to this post

    Hey,

    I'm trying to migrate a site from a CMS that uses straight SHA1 encryption - but can't get my SS site to encrypt in SHA1 only.

    I have set the following lines in sapphire/_config.php

    Security::encrypt_passwords(true);
    Security::set_password_encryption_algorithm('sha1', false);

    and also set the current values in Security.php

    protected static $encryptPasswords = true;
    protected static $encryptionAlgorithm = 'sha1';
    protected static $useSalt = false;

    however the site is not using straight SHA1. The salt column in the db is now NULL but it's still a strange encryption that won't match the old user passwords which are all sha1.

    SS 2.2.1

    Any ideas where i'm going wrong?

    Cheers,
    Josh

  • Sam
    Avatar
    Administrator
    679 Posts

    Re: Setting Security it use sha1 but no salt. Link to this post

    The encrypted password is then packed into a base 36 number (0-9 then A-Z). I wouldn't have necessary built it this way, but it's difficult to change now without breaking everyone's sites.

    // Convert the base of the hexadecimal password to 36 to make it shorter
    // In that way we can store also a SHA256 encrypted password in just 64
    // letters.
    $password = substr(base_convert($password, 16, 36), 0, 64);

    Perhaps we could add additional encryption types to the Password encryption column, like sha1-unpacked, which would skip this procedure? Using a string-suffix like this would require fewer API changes than adding a 3rd encryption parameter.

  • Josh
    Avatar
    SilverStripe Developer
    65 Posts

    Re: Setting Security it use sha1 but no salt. Link to this post

    Thanks for pointing that out Sam, my problem is now solved!

    2606 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.