Jump to:

4935 Posts in 16066 Topics by 1488 members

Installing SilverStripe

SilverStripe Forums » Installing SilverStripe » Admin password encryption

Getting SilverStripe up and running on your computer and on your web server.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 3057 Views
  • Kenny
    Avatar
    Community Member
    5 Posts

    Admin password encryption Link to this post

    How exactly is the admin password encrypted?

    I've created a registration form that encrypts the password with sha1. When I create a password 'password' in the table, it comes out as 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8, and as the admin password is also 'password' I'd expect it to be the same, but it's not - it's fy17qyc55m0o8kc0oks00os8w0gk44w, but the PasswordEncryption field for admin says sha1 anyway.

    Can someone tell me how to get the encryption in my form working the same way as the admin record?

  • Willr
    Avatar
    Forum Moderator
    5497 Posts

    Re: Admin password encryption Link to this post

    Passwords are hashed and salted so they are unique. If you just hashed passwords you could pretty easily start guessing passwords.

    The only way to get them the same is if they use the same salt and like I said, thats a security flaw. You can however override the default behaviour by setting Security::set_password_encryption_algorithm('sha1', false); in your config - false turning off salting

  • Kenny
    Avatar
    Community Member
    5 Posts

    Re: Admin password encryption Link to this post

    How would I go about generating a new salt and applying it to a new password in order to make it unique?

    Is that even what I have to do?

  • Willr
    Avatar
    Forum Moderator
    5497 Posts

    Re: Admin password encryption Link to this post

    You can hash and salt a given string by running it through Security::encrypt_password("password"); and that will return you an array - the password, the salt and the hash. I think however, if you are making a registration form and you are saving the data into the Password field of the Member object it will do the salting and hashing for you.

  • Kenny
    Avatar
    Community Member
    5 Posts

    Re: Admin password encryption Link to this post

    Is there a way I can change the way the Login form checks what is typed in the password field with the database? Like, a .php file in Security or something? So that it only changes the password to sha1 with no salt and just checks it that way?

    Sure, there'll be a security issue there, but this is just for experimental purposes anyway

  • Ingo
    Avatar
    Forum Moderator
    801 Posts

    Re: Admin password encryption Link to this post

  • congii
    Avatar
    Community Member
    6 Posts

    Re: Admin password encryption Link to this post

    Hi Willr. I don't know if this is appropriate to add my issue here. This is an old post but i seem to have an issue to auto-hashing & salting on front-end. I am currently using SS 3.0.3 and I have a custom sign-up form on the front-end and I am using ConfirmedPasswordField but it seems the saved password is different since all the users I sign-up using the front-end form cant login.

    Does the auto hash / salt may be causing some issues?

    Front-end Form

    ,new TextField('Email', 'Email *')
    ,new TextField('JobTitle', 'Job Title *')
    , new ConfirmedPasswordField('Password', 'New Password')

    Form Action

    if($member = DataObject::get_one("Member", "`Email` = '". Convert::raw2sql($data['Email']) . "'"))
    {
    $form->AddErrorMessage('Email', "Sorry, that email address already exists. Please choose another.", 'bad');

    Session::set("FormInfo.StaffManagementPage_StaffManagementPage.data", $data);

    return $this->redirectBack();;         
    }   

    $member = new Member();
    $form->saveInto($member);
    $member->write();

    if($userGroup = DataObject::get_one('Group', "Code = 'staff'"))
    {
    Group::addToGroupByName($member, 'staff');
    }

    3057 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.