Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Added support for password encryption


Reply


7 Posts   2407 Views

Avatar
Markus

Google Summer of Code Hacker, 152 Posts

13 July 2007 at 9:04pm

Edited: 13/07/2007 9:30pm

Hi guys!

Something here is something that you can test out..

I've added support for encrypted passwords now since the clear text storage is not really secure since a lot of people use the same password everywhere.
So now you can specify in sapphire/_config.php if you want to encrypt your passwords or not (Security::encrypt_passwords(bool)). Additionally you can specify the algorithm you want to use and also if a salt should be used to increase the security even more (Security::set_password_encryption_algorithm(algorithm, use_salt)).

To make it easy to migrate to encrypted passwords, there is now also a new action that you can call, namely yoursite.com/security/encryptallpasswords. You will need to authenticate yourself with an administrator account and then all clear text passwords will be encrypted according to your settings.

If you decide to change the settings later it's no problem. All new user accounts will be created according to the new settings and the old ones will be updated to those settings when you assign them a new password (otherwise they will continue to use the old settings).

All of these changes are in r38608.

As a consequence of this new features, the "I've lost my password" feature doesn't work anymore since it now sends out the encrypted (and maybe salted) password which can't be used to login.

I'm aware of that problem and will [url=http://support.silverstripe.com/gsoc/ticket/48]fix it soon[/url].

Could you all please test the new code and report if everything works fine for you or if there are any problems?

Thanks a lot and have a great weekend

Avatar
Sigurd

Forum Moderator, 628 Posts

13 July 2007 at 9:38pm

Its hit Friday night so haven't checked out the code, but the stuff you've talked about is great...

Avatar
qhoxie

Google Summer of Code Hacker, 39 Posts

14 July 2007 at 5:38am

nicely done markus, the implementation seems solid

Avatar
poseydozer

Community Member, 8 Posts

29 July 2007 at 2:47am

Hi, I tried this out by doing the following:

1. downloaded latest version of Silverstripe (2.0.2).
2. followed the directions from http://doc.silverstripe.com/doku.php?id=upgrading to upgrade
3. added Security::encrypt_passwords(true) to sapphire/_config.php
4. received this error: "Fatal error: Call to undefined method Security::encrypt_passwords() in /opt/lampp/htdocs/mita/sapphire/_config.php on line 2" when I went to my site. (I renamed the Silverstripe directory to the name of my site, mita).

What am I doing wrong?

Thanks for your help.

Avatar
elijahlofgren

Google Summer of Code Hacker, 222 Posts

29 July 2007 at 4:45pm

Hi poseydozer,

The "password encryption" code is currently only available on the unreleased gsoc branch.

@Sigurd, do you think that the GSoC branch could be made available somewhere for people who wanted to play with it?

Avatar
Markus

Google Summer of Code Hacker, 152 Posts

30 July 2007 at 8:52pm

That's true and since the whole security stuff changed quite a lot I cannot give you just some patches...

Good idea Elijah.. what about just creating daily builds of it? Shouldn't be much work and could help a lot to test our code.

Avatar
dio5

Community Member, 501 Posts

22 September 2007 at 11:19am

Edited: 22/09/2007 8:53pm

How far is this implemented by now.. maybe part of the official 2.1.0 release?
Does it work in the rc-version yet?
I tried using:

Security::encrypt_passwords(true);
Security::set_password_encryption_algorithm("MD5", false);

But got a
Fatal error: Call to undefined method Security::encrypt_passwords()

Maybe I'm passing the wrong variables.. I think it would be handy if the doku for security (http://doc.silverstripe.com/doku.php?id=security) and config (http://doc.silverstripe.com/doku.php?id=config.php&do=diff1190346214)
said which of arguments to pass i e, boolean, string... for the not so bright people like me :-)