Jump to:

17452 Posts in 4473 Topics by 1971 members

Archive

SilverStripe Forums » Archive » Added support for password encryption

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Page: 1
Go to End
Author Topic: 2291 Views
  • Markus
    Avatar
    Google Summer of Code Hacker
    152 Posts

    Added support for password encryption Link to this post

    Hi guys!

    Something here is something that you can test out..

    I've added support for encrypted passwords now since the clear text storage is not really secure since a lot of people use the same password everywhere.
    So now you can specify in sapphire/_config.php if you want to encrypt your passwords or not (Security::encrypt_passwords(bool)). Additionally you can specify the algorithm you want to use and also if a salt should be used to increase the security even more (Security::set_password_encryption_algorithm(algorithm, use_salt)).

    To make it easy to migrate to encrypted passwords, there is now also a new action that you can call, namely yoursite.com/security/encryptallpasswords. You will need to authenticate yourself with an administrator account and then all clear text passwords will be encrypted according to your settings.

    If you decide to change the settings later it's no problem. All new user accounts will be created according to the new settings and the old ones will be updated to those settings when you assign them a new password (otherwise they will continue to use the old settings).

    All of these changes are in r38608.

    As a consequence of this new features, the "I've lost my password" feature doesn't work anymore since it now sends out the encrypted (and maybe salted) password which can't be used to login.

    I'm aware of that problem and will fix it soon.

    Could you all please test the new code and report if everything works fine for you or if there are any problems?

    Thanks a lot and have a great weekend

  • Sigurd
    Avatar
    Forum Moderator
    628 Posts

    Re: Added support for password encryption Link to this post

    Its hit Friday night so haven't checked out the code, but the stuff you've talked about is great...

  • qhoxie
    Avatar
    Google Summer of Code Hacker
    39 Posts

    Re: Added support for password encryption Link to this post

    nicely done markus, the implementation seems solid

  • poseydozer
    Avatar
    Community Member
    8 Posts

    Re: Added support for password encryption Link to this post

    Hi, I tried this out by doing the following:

    1. downloaded latest version of Silverstripe (2.0.2).
    2. followed the directions from http://doc.silverstripe.com/doku.php?id=upgrading to upgrade
    3. added Security::encrypt_passwords(true) to sapphire/_config.php
    4. received this error: "Fatal error: Call to undefined method Security::encrypt_passwords() in /opt/lampp/htdocs/mita/sapphire/_config.php on line 2" when I went to my site. (I renamed the Silverstripe directory to the name of my site, mita).

    What am I doing wrong?

    Thanks for your help.

  • elijahlofgren
    Avatar
    Google Summer of Code Hacker
    222 Posts

    Re: Added support for password encryption Link to this post

    Hi poseydozer,

    The "password encryption" code is currently only available on the unreleased gsoc branch.

    @Sigurd, do you think that the GSoC branch could be made available somewhere for people who wanted to play with it?

  • Markus
    Avatar
    Google Summer of Code Hacker
    152 Posts

    Re: Added support for password encryption Link to this post

    That's true and since the whole security stuff changed quite a lot I cannot give you just some patches...

    Good idea Elijah.. what about just creating daily builds of it? Shouldn't be much work and could help a lot to test our code.

  • dio5
    Avatar
    Community Member
    501 Posts

    Re: Added support for password encryption Link to this post

    How far is this implemented by now.. maybe part of the official 2.1.0 release?
    Does it work in the rc-version yet?
    I tried using:

    Security::encrypt_passwords(true);
    Security::set_password_encryption_algorithm("MD5", false);

    But got a
    Fatal error: Call to undefined method Security::encrypt_passwords()

    Maybe I'm passing the wrong variables.. I think it would be handy if the doku for security (http://doc.silverstripe.com/doku.php?id=security) and config (http://doc.silverstripe.com/doku.php?id=config.php&do=diff1190346214)
    said which of arguments to pass i e, boolean, string... for the not so bright people like me

    2291 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.