Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Archive

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Added support for password encryption


Reply

7 Posts   2361 Views

Avatar
Markus

13 July 2007 at 9:04pm (Last edited: 13 July 2007 9:30pm), Google Summer of Code Hacker, 152 Posts

Hi guys!

Something here is something that you can test out..

I've added support for encrypted passwords now since the clear text storage is not really secure since a lot of people use the same password everywhere.
So now you can specify in sapphire/_config.php if you want to encrypt your passwords or not (Security::encrypt_passwords(bool)). Additionally you can specify the algorithm you want to use and also if a salt should be used to increase the security even more (Security::set_password_encryption_algorithm(algorithm, use_salt)).

To make it easy to migrate to encrypted passwords, there is now also a new action that you can call, namely yoursite.com/security/encryptallpasswords. You will need to authenticate yourself with an administrator account and then all clear text passwords will be encrypted according to your settings.

If you decide to change the settings later it's no problem. All new user accounts will be created according to the new settings and the old ones will be updated to those settings when you assign them a new password (otherwise they will continue to use the old settings).

All of these changes are in r38608.

As a consequence of this new features, the "I've lost my password" feature doesn't work anymore since it now sends out the encrypted (and maybe salted) password which can't be used to login.

I'm aware of that problem and will [url=http://support.silverstripe.com/gsoc/ticket/48]fix it soon[/url].

Could you all please test the new code and report if everything works fine for you or if there are any problems?

Thanks a lot and have a great weekend

Avatar
Sigurd

13 July 2007 at 9:38pm Forum Moderator, 628 Posts

Its hit Friday night so haven't checked out the code, but the stuff you've talked about is great...

Avatar
qhoxie

14 July 2007 at 5:38am Google Summer of Code Hacker, 39 Posts

nicely done markus, the implementation seems solid

Avatar
poseydozer

29 July 2007 at 2:47am Community Member, 8 Posts

Hi, I tried this out by doing the following:

1. downloaded latest version of Silverstripe (2.0.2).
2. followed the directions from http://doc.silverstripe.com/doku.php?id=upgrading to upgrade
3. added Security::encrypt_passwords(true) to sapphire/_config.php
4. received this error: "Fatal error: Call to undefined method Security::encrypt_passwords() in /opt/lampp/htdocs/mita/sapphire/_config.php on line 2" when I went to my site. (I renamed the Silverstripe directory to the name of my site, mita).

What am I doing wrong?

Thanks for your help.

Avatar
elijahlofgren

29 July 2007 at 4:45pm Google Summer of Code Hacker, 222 Posts

Hi poseydozer,

The "password encryption" code is currently only available on the unreleased gsoc branch.

@Sigurd, do you think that the GSoC branch could be made available somewhere for people who wanted to play with it?

Avatar
Markus

30 July 2007 at 8:52pm Google Summer of Code Hacker, 152 Posts

That's true and since the whole security stuff changed quite a lot I cannot give you just some patches...

Good idea Elijah.. what about just creating daily builds of it? Shouldn't be much work and could help a lot to test our code.

Avatar
dio5

22 September 2007 at 11:19am (Last edited: 22 September 2007 8:53pm), Community Member, 501 Posts

How far is this implemented by now.. maybe part of the official 2.1.0 release?
Does it work in the rc-version yet?
I tried using:

Security::encrypt_passwords(true);
Security::set_password_encryption_algorithm("MD5", false);

But got a
Fatal error: Call to undefined method Security::encrypt_passwords()

Maybe I'm passing the wrong variables.. I think it would be handy if the doku for security (http://doc.silverstripe.com/doku.php?id=security) and config (http://doc.silverstripe.com/doku.php?id=config.php&do=diff1190346214)
said which of arguments to pass i e, boolean, string... for the not so bright people like me :-)