17488 Posts in 4473 Topics by 1978 members
|
Page:
1
|
Go to End | |
| Author | Topic: | 2174 Views |
-
Added support for password encryption
13 July 2007 at 9:04pm Last edited: 13 July 2007 9:30pm
Hi guys!
Something here is something that you can test out..
I've added support for encrypted passwords now since the clear text storage is not really secure since a lot of people use the same password everywhere.
So now you can specify in sapphire/_config.php if you want to encrypt your passwords or not (Security::encrypt_passwords(bool)). Additionally you can specify the algorithm you want to use and also if a salt should be used to increase the security even more (Security::set_password_encryption_algorithm(algorithm, use_salt)).To make it easy to migrate to encrypted passwords, there is now also a new action that you can call, namely yoursite.com/security/encryptallpasswords. You will need to authenticate yourself with an administrator account and then all clear text passwords will be encrypted according to your settings.
If you decide to change the settings later it's no problem. All new user accounts will be created according to the new settings and the old ones will be updated to those settings when you assign them a new password (otherwise they will continue to use the old settings).
All of these changes are in r38608.
As a consequence of this new features, the "I've lost my password" feature doesn't work anymore since it now sends out the encrypted (and maybe salted) password which can't be used to login.
I'm aware of that problem and will fix it soon.
Could you all please test the new code and report if everything works fine for you or if there are any problems?
Thanks a lot and have a great weekend
-
Re: Added support for password encryption
13 July 2007 at 9:38pm
Its hit Friday night so haven't checked out the code, but the stuff you've talked about is great...
-
Re: Added support for password encryption
14 July 2007 at 5:38am
nicely done markus, the implementation seems solid
-
Re: Added support for password encryption
29 July 2007 at 2:47am
Hi, I tried this out by doing the following:
1. downloaded latest version of Silverstripe (2.0.2).
2. followed the directions from http://doc.silverstripe.com/doku.php?id=upgrading to upgrade
3. added Security::encrypt_passwords(true) to sapphire/_config.php
4. received this error: "Fatal error: Call to undefined method Security::encrypt_passwords() in /opt/lampp/htdocs/mita/sapphire/_config.php on line 2" when I went to my site. (I renamed the Silverstripe directory to the name of my site, mita).What am I doing wrong?
Thanks for your help.
-
Re: Added support for password encryption
29 July 2007 at 4:45pm
Hi poseydozer,
The "password encryption" code is currently only available on the unreleased gsoc branch.
@Sigurd, do you think that the GSoC branch could be made available somewhere for people who wanted to play with it?
-
Re: Added support for password encryption
30 July 2007 at 8:52pm
That's true and since the whole security stuff changed quite a lot I cannot give you just some patches...
Good idea Elijah.. what about just creating daily builds of it? Shouldn't be much work and could help a lot to test our code.
-
Re: Added support for password encryption
22 September 2007 at 11:19am Last edited: 22 September 2007 8:53pm
How far is this implemented by now.. maybe part of the official 2.1.0 release?
Does it work in the rc-version yet?
I tried using:Security::encrypt_passwords(true);
Security::set_password_encryption_algorithm("MD5", false);But got a
Fatal error: Call to undefined method Security::encrypt_passwords()Maybe I'm passing the wrong variables.. I think it would be handy if the doku for security (http://doc.silverstripe.com/doku.php?id=security) and config (http://doc.silverstripe.com/doku.php?id=config.php&do=diff1190346214)
said which of arguments to pass i e, boolean, string... for the not so bright people like me
| 2174 Views | ||
|
Page:
1
|
Go to Top |
