md5 encryption for the user_password md5 encryption for the user_password
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

md5 encryption for the user_password

Started by jbo, September 06, 2004, 04:26:13 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

jbo

Firstly I want to say your gallery is very nice! The functions are very comfortable.
But when we installed your Gallery Version 1.31 (new updated to 1.32), one thing has been confused us. All the passwords are saving without any encyption in the Database.
Is that YOUR additional feature for your application? ;-)
In my mind it's not so good that the admins are able to see the passwords of all our users.
It would be better, if a md5-encryption would safe it correctly in the database.
Do you know, if these "feature" is comming out in the next version?
Or can someone help us to include it by ourselves?

mfg JBO & the constructors

skybax

There is a hack available for md5 passwords - check the mod board. I'm not sure when it's coming out in a stable release but I'm sure the idea will be thrown around sometime soon if it hasn't already.

-T  8)
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.skybax.com%2FhotImage%2Fpost_footer.gif&hash=338b65c57a59f0b06311094e697c87794e43d945)
Don't contact me for support over PM or email unless I requested you to do so. Instead: post on the proper board.

Casper

there has been a lot of discussion on this, and I think it will be in 1.4.

I think that the worry about admins being able to see the password is stupid anyway, seeing as the admin has full access to everything, and even on an application with encrypted passwords, can easily get them if he/she wanted, if that application has a password recovery system.


It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Tarique Sani

Oasis had raised a valid point - many people use the same password for several different things - so while I may not be averse to the CPG admin seeing my albums I would definitely not like him to snoop on my GMail / Paypal account / etc etc

I agree that having one password is also almost just as stupid - but then this world was designed so that the stupid could thrive as well and I am not going to dispute the almighty ;)
SANIsoft PHP applications for E Biz

kegobeer

Quotebut then this world was designed so that the stupid could thrive as well and I am not going to dispute the almighty

Here here!  :D
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Joachim Müller

I agree with jbo: not even the admin should be able to see user's passwords, even though he has means to reset it to any given value. This is best practise for every app, starting from any modern OS. As MD5 is a one way alg, you can't even recover lost passwords, only create new ones. This is a mantra I keep repeating to tell people on my job: there are no means for the admin to see your password. Should and will be the same in coppermine, Omni is currently working on this feature, the harder bit being to figure out a way for coppermine users who upgrade from previous versions that didn't come with pw encryption. However, this is not an actual security threat imo, just a way a modern app should behave like.

Joachim

skybax

Well it's good to hear others second my opinion - oh wait ... you guys have been saying it longer than I have?  ::)

-T
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.skybax.com%2FhotImage%2Fpost_footer.gif&hash=338b65c57a59f0b06311094e697c87794e43d945)
Don't contact me for support over PM or email unless I requested you to do so. Instead: post on the proper board.

nextech2

What about SHA1 encryption?  I'm using ExpressionEngine (by pMachine) and it no longer uses MD5, it uses SHA1.  I don't mind the clear text passwords, but I'd hate for Coppermine to switch to MD5 (and not be able to use it with ExpressionEngine's SHA1).  Could it be a selection in the admin control panel so Administrators can setup Coppermine to leave users passwords as clear text, encrypt passwords with MD5, or encrypt passwords with SHA1?

Just so there are options...

         Thanks,


Casper

That appears to be the way we are going, making it admin settable, but with the understanding that once md5 is used, you cannot go back without all users losing their password.

Having said that, if it your intention to bridge the 2 apps, it would not matter anyway, as once bridged, coppermine uses the forum user management.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

seros

I would prefer a md5 encryption too. More safe for the users. optional?

Joachim Müller

Quote from: seros on September 21, 2004, 08:47:06 PM
I would prefer a md5 encryption too. More safe for the users. optional?
Did you actually read this thread? MD5 encryption is available as a mod, do a search and apply it if you want to. What exactly is your question?

Joachim

Viper007Bond

Just another vote for seeing this in the official build. :)


paulaerison

Quote from: Casper on September 10, 2004, 01:23:05 PM
That appears to be the way we are going, making it admin settable, but with the understanding that once md5 is used, you cannot go back without all users losing their password.

Having said that, if it your intention to bridge the 2 apps, it would not matter anyway, as once bridged, coppermine uses the forum user management.

switch (check_pass($pass)) {
case !denied:
   print("access denied. Bad un/pw");
case !granted:
   print("access granted, welcome.");
case !md5:
   print("md5 encrypted password detected. MD5 is turned off... please change your password");
   changepass();
}

public function check_pass($pass) {
 if ($db_pass == $pass) {return !granted}
 else {if ($db_pass == md5($pass)) {return !md5 }
       else {return !denied}
 }
}


pseudocode logic rules the template world.