Just done my first (test) install of SS - everything went well, but upon the first login as admin, I noticed that the name under which the system shows me as "Logged in" is in fact my admin password!

Checking my profile confirms that:

Under Firstname, we find my admin password (in clear!),
Surname is correct,
Email is correct,
Password is... empty!

Now I understand that this being my first foray into SS territory, perhaps you guys have developed a slightly different philosophy when it comes to security, user credentials and all - but this doesn't exactly make me feel secure.

I guess my hunt for the best CMS for the job I'm producing at the moment goes on... Next up, ModX I suppose.

Are you sure you just didnt enter your password in the incorrect field?. If you refill your actual details and then save, reload the page does it reset back to showing the password as the first name?

All passwords should be encrypted and salted while stored so you shouldn't be seeing them at all unless its saving it into the incorrect field

Are you sure you just didnt enter your password in the incorrect field?

That's quite unlikely, for one thing because I'm a bit hypersensitive when it comes to this kind of things. I use high security passwords, and when you're the kind of freak that bothers with weird combinations of uppercase, lowercase, numbers and extended chars., you do pay attention to what you type, and where you type it.

Besides, that still wouldn't explain why I can log in with the correct credentials (i.e. email / password in the right fields) but find the password displayed as username once I'm logged in, and my password field empty when I browse to the Security > security groups > Administrator page...

In any case, assuming as you do that I'd been careless enough to fill my intended password in the username field (and my username... somewhere else I suppose?) , then there is no way I could log in by using that password in the password field (and my username in the right field), huh?

What version of SilverStripe are you using? If you have access to phpmyadmin could you open up that to your database and view the 'Member' table. What does that look like? Is the password field a hashcode or just plain text?

Hey Willr

you seem to understand the SilverStripe pretty well. I tried to log onto the CMS section and it tells me the email and password do not match yet I know they do and it even said so on the successful install page. It had all my details correct. What am I doing wrong?

This is the page I got to and it said this (I starred out the email and password for security reasons):

*******************************************

Installation Successful

Congratulations, SilverStripe has been successfully installed.

You can start editing your site's content by opening the CMS.
Email: ********
Password: ********

For security reasons you should now delete the install files, unless you are planning to reinstall later. The web server also now only needs write access to the "assets" folder, you can remove write access from all other folders.

Click here to delete the install files.

*******************************************
AND I DID CLICK TO DELETE THE INSTALL FILES. and it auto took me to this page:
*******************************************

Deleted installation files

Installation files have been successfully deleted.

You can start editing your site's content by opening the CMS.
Email: ******
Password: ******

*******************************************
I clicked on the CMS link and it said this:
*******************************************

Log in

Enter your email address and password to access the CMS.

Email
Password

Remember me next time?

I've lost my password

*******************************************

so I logged in using my details and it said this:

*******************************************

Log in

That doesn't seem to be the right e-mail address or password. Please try again.
Email
Password

Remember me next time?

I've lost my password

*******************************************
EVEN THOUGH IT WAS THE RIGHT EMAIL AND PASSWORD AND IT EVEN TOLD ME IT HAD THE RIGHT LOG IN AND PASSWORD ONTHE FIRST PAGE THAT SAID SUCCESSFUL INSTALL - please help. It took alot to get the thing to go this far and I am loosing my patience bt really wanted to use this software.
*******************************************

Ok something maybe up with your database, couple things you can try

1) Hard code a member -
in your mysite/_config.php file add this line - Security::setDefaultAdmin('test','somepassword');
Now you should be able to at least login to the cms with 'test' and 'somepassword' as the email / password combination

2) Remove all members and rebuild -
This method requires PHPMyadmin or mysql access. Most hosts should have phpmyadmin so you need to open that up. Select your database you installed with, Click your the 'Members' table. Then hit the 'Empty' link in the top right of the page. This removes all the current incorrect members. Now to readd the member you need to go http://www.yoursite.com/db/build?username=test&password=somepassword and it should display in green 'Added Admin Account' then you should be able to login

Hope that helps.

Never mind: just ran through the install process again. Pretty sure I entered the admin password twice. That would put it the the "Administrator first name:" field.

##################

I'm seeing this too. I just installed version 2.3.1 in "Empty template, ready to begin the tutorial" mode. I logged into the CMS and there in the bottom right is my password. "Logged in as my-password" Plain text for all the world to see.

screen shot of the CMS page:
http://www-personal.ksu.edu/~david/silverstripe-cms.jpg

This is the starter 'admin' account. I haven't set any other properties for that account. everything is right out of the box.

I'm running this in OS X with MAMP 1.7.2. Apache 2.2.11, php 5.2.6.

David White

I try to go http://www.yoursite.com/db/build?username=test&password=somepassword
without do nothing, it work fine.

thx,willr