Config of encrypted passwords

[casNuy]

Scanned the forum but did not find any clues so.............
When configuring Coppermine, i see no option to disable/enable password encryption. This is also not asked when installing/updating Coppermine.
Can both be added to the final release ?

Cas

[Nibbler]

There's an option in config to enable md5 passwords on upgraded galleries, new installs use md5 passwords by default.

[casNuy]

Thanks, nevertheless will the option become available on new installs plus an option within the config ?

Cas

[donnoman]

No, the default schema on a new installs enables MD5 passwords from the get go.

The option to switch to MD5 on a gallery upgrade is a roach motel.  It will be shown on an install thats currently unencrypted, when they select yes. The db gets updated, and there's no road backwards, so the option to unset "enable encrypted passwords" is no longer shown.

There had been a discussion amongst the devs of should we force md5 encryption on upgrade. That idea was discarded because it might affect bridging or custom code.  Most of the devs felt that leaving the default as unencrypted passwords unnecessarily left Coppermine's security weaker than it should be at no real benifit to most Coppermine users so we agreed to only force it on new installs.

[casNuy]

The config setting will stay or will this also be removed in the future ?
pnCPG functions nicely with unencrypted passwords so for my module, i would like the people to have that set to 0.
Would save me a lot of work and ould enable me to deliver an integration moduler without changing core php code.

Cas

[donnoman]

For un-upgraded galleries I don't see the option going away. However new installs will cause you problems.

I would suggest the best long term plan is to develop a bridge to be used for pnCPG (it could be just as easy as making it a copy of the coppermine bridge, and forcing the password to always be unencrypted.)