clear text passwords

mlh555 · November 19, 2003, 05:10:19 AM

is there a quick mod that I can make to allow clear text passwords in the db. Yes I know there are some security issues, however, its ok for what I am doing.

thanks

Tarique Sani · November 19, 2003, 07:24:20 AM

CPG 1.2 stores passwords as clear text

Oasis · November 19, 2003, 10:27:21 AM

hmmm... I've heard of people asking for encryption of the passwords... But never for saving users' passwords as clear text passwords... :?

No offense to you, but I hate the thought that some people, especially system admins, would WANT users' passwords saved as clear text. Unless of course, you tell them specifically that their passwords are stored as text. What difference would it be from hacking their computers to get their password? (Well, if you're a matchstick man, you could say you didn't take it, they gave it to you... But not everyone is Nicholas Cage) It is exactly these people that force me to have to memorize one password for everything I sign up for.

Of course, you could be doing this for totally legitimate purposes, and if so, I appologize. But if you are doing this so that you can take a peek at their passwords......... Shame shame shame...

Now.... when will password encryption be inplemented?
Before more wannabe hackers try to use coppermine as a password harvesting system..

Oasis · November 19, 2003, 10:42:11 AM

hey mlh555

What I just said was just my own feelings concerning this topic and it was no way intended to be an attack on your request, OK..

I know you work for an ISP and you most probably do have a legitimate use for this. It's just I really feel coppermine should have password encryption... The clear text passwords have been bugging me for quite a while... This concerns legal liability... that is, if something bad should happen to the passwords (hackers, for example)

Anyway... I just wanted to add this because I just reread my last post and I thought you might find it offensive....... so.... this has nothing to do with you personally OK

Tarique Sani · November 19, 2003, 12:52:59 PM

Actually password encryption is trivial to implement - but tell me how does it help?

If someone has hacked into your MySQL db you are dead anyways and if someone is sniffing the network for passwords then the passwords will still be transmitted to the server in clear text from the browser unless you are using SSL or client side MD5 encryption which cannot be depended upon...

IMO encrypted passwords in DB as a measure of security of an application is grossly overrated

mlh555 · November 19, 2003, 02:50:20 PM

I need clear text passwords so that I can impliment radius with coppermine, so that my users only have to know one password, and only change that one password in one place. Using radius with this allows me to have my users use the same password for email,coppermine, RAS, and other services

Thanks for the help guys you all are great

Oasis · November 19, 2003, 03:32:33 PM

tarique, I know that the encryption probably won't make it absolutely secure, but at least more secure than it is now... If it is hacked, well yes, I'm dead anyway... But afaik md5 is irreversible right now (at least without massive computing power), so at least my users' passwords are safe.

Also, some people could go around offering free photo albums to people, just to get their passwords. The average computer user still uses one password for everything, and with that password you could do a lot of things... I wouldn't really want to sign up for something, if I knew that the administrator could see my password...

Tarique Sani · November 20, 2003, 03:49:59 AM

Quote from: "oasis"if I knew that the administrator could see my password...

Well this is the strongest arguement in favour of md5 encryption that I have heard till now...

I can now tell you that md5 encrytion is in the works

Joachim Müller · November 20, 2003, 07:15:14 AM

Security vs. ease of use: the next version will have a "I forgot my password" feature, which will of course only work if passwords are stored in clear text. I know this can be changed, so the if the user clicks on "I forgot my password" a new random password is being generated and sent to his email address, but I can already hear the users complaing...
Don't get me wrong, I like the thought of having encrypted passwords (just because it gives a more secure feeling to the users of coppermine and because it was requested), I was just going to remind you that the are two sides to this feature - not everybody will like it; so there will be users complaining and asking to have a mod for clear text passwords... :wink:

GauGau

Tarique Sani · November 20, 2003, 08:16:43 AM

Quote from: "gaugau""I forgot my password" a new random password is being generated and sent to his email address

The better way is to reset the password to a random one, set a flag of lost password and send a link which allows a new password to be set...

Like I said I have half of the code done - debating if to commit - also this BREAKS the backword compatibility TOTALLY unless the upgrade script also has a loop to faithfully convert every cleartext password to md5

Say Oasis - you feel up do doing the changes?

coppermine-gallery.com/forum

News:

clear text passwords

mlh555

Tarique Sani

Oasis

Oasis

Tarique Sani

mlh555

Oasis

Tarique Sani

Joachim Müller

Tarique Sani