on 31/03/2005 7:44 Jeffrey MRA said the following:

I don’t like the clear text passwords in the database from a security point; I hope we all can agree on that.

I don't want be be a pain, but I hope that encrypted password will be an option, a default option maybe, but still an option.
Because having them not encrypted has proven us very usefull in several cases.

I suggest adding this function to the Security class; it is the same function used in the Portals Starter Kit which was the successor to IBS Portal.

public static string Encrypt(string cleanString)


    Byte[] ClearBytes = new UnicodeEncoding().GetBytes(cleanString);

    Byte[] HashedBytes = ((HashAlgorithm) CryptoConfig.CreateFromName("MD5")).ComputeHash(ClearBytes);

    return BitConverter.ToString(HashedBytes);

} // end Encrypt

Call to

string EncrptedPassword = Encrypt(password);

Such that password will return something like D0-09-1A-0F-E2-B2-09-34-D8-8B-46-06-84-F5-97-89

Much more secure since you can’t take this value and log on with it since it is the original password that produces this hash code.

Somewhere in the code

Add it to the code

app_code -> Security -> Security.cs

Around line 441

public static string SignOn(string user, string password, bool persistent, string redirectPage)

which in turn gets executed in

app_code -> Rainbow -> DAL -> UsersDb.cs

Around line 994

public Rainbow.Security.User Login(int uid, string password, int portalID)

I do realize that we’ll have to do a reset password instead of a “I forgot my password” option.


Jeff Flesher