Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.


Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Added support for password encryption


7 Posts   2361 Views


13 July 2007 at 9:04pm (Last edited: 13 July 2007 9:30pm), Google Summer of Code Hacker, 152 Posts

Hi guys!

Something here is something that you can test out..

I've added support for encrypted passwords now since the clear text storage is not really secure since a lot of people use the same password everywhere.
So now you can specify in sapphire/_config.php if you want to encrypt your passwords or not (Security::encrypt_passwords(bool)). Additionally you can specify the algorithm you want to use and also if a salt should be used to increase the security even more (Security::set_password_encryption_algorithm(algorithm, use_salt)).

To make it easy to migrate to encrypted passwords, there is now also a new action that you can call, namely You will need to authenticate yourself with an administrator account and then all clear text passwords will be encrypted according to your settings.

If you decide to change the settings later it's no problem. All new user accounts will be created according to the new settings and the old ones will be updated to those settings when you assign them a new password (otherwise they will continue to use the old settings).

All of these changes are in r38608.

As a consequence of this new features, the "I've lost my password" feature doesn't work anymore since it now sends out the encrypted (and maybe salted) password which can't be used to login.

I'm aware of that problem and will [url=]fix it soon[/url].

Could you all please test the new code and report if everything works fine for you or if there are any problems?

Thanks a lot and have a great weekend


13 July 2007 at 9:38pm Forum Moderator, 628 Posts

Its hit Friday night so haven't checked out the code, but the stuff you've talked about is great...


14 July 2007 at 5:38am Google Summer of Code Hacker, 39 Posts

nicely done markus, the implementation seems solid


29 July 2007 at 2:47am Community Member, 8 Posts

Hi, I tried this out by doing the following:

1. downloaded latest version of Silverstripe (2.0.2).
2. followed the directions from to upgrade
3. added Security::encrypt_passwords(true) to sapphire/_config.php
4. received this error: "Fatal error: Call to undefined method Security::encrypt_passwords() in /opt/lampp/htdocs/mita/sapphire/_config.php on line 2" when I went to my site. (I renamed the Silverstripe directory to the name of my site, mita).

What am I doing wrong?

Thanks for your help.


29 July 2007 at 4:45pm Google Summer of Code Hacker, 222 Posts

Hi poseydozer,

The "password encryption" code is currently only available on the unreleased gsoc branch.

@Sigurd, do you think that the GSoC branch could be made available somewhere for people who wanted to play with it?


30 July 2007 at 8:52pm Google Summer of Code Hacker, 152 Posts

That's true and since the whole security stuff changed quite a lot I cannot give you just some patches...

Good idea Elijah.. what about just creating daily builds of it? Shouldn't be much work and could help a lot to test our code.


22 September 2007 at 11:19am (Last edited: 22 September 2007 8:53pm), Community Member, 501 Posts

How far is this implemented by now.. maybe part of the official 2.1.0 release?
Does it work in the rc-version yet?
I tried using:

Security::set_password_encryption_algorithm("MD5", false);

But got a
Fatal error: Call to undefined method Security::encrypt_passwords()

Maybe I'm passing the wrong variables.. I think it would be handy if the doku for security ( and config (
said which of arguments to pass i e, boolean, string... for the not so bright people like me :-)