RE: [Rainbowportal-devel] Security
Brought to you by:
danijel_kecman,
manudea
From: Jonathan M. <jon...@jo...> - 2005-03-31 18:06:41
|
In 16. Portal and or Site admin will be able to choose what level of security he wants to use on passwords for their sites. The system will default to some sort of undecided hash howver. _____ From: rai...@li... [mailto:rai...@li...] On Behalf Of HolonCom Support Sent: Thursday, March 31, 2005 6:53 PM To: rai...@li... Subject: Re: [Rainbowportal-devel] Security on 31/03/2005 7:44 Jeffrey MRA said the following: I don't like the clear text passwords in the database from a security point; I hope we all can agree on that. I don't want be be a pain, but I hope that encrypted password will be an option, a default option maybe, but still an option. Because having them not encrypted has proven us very usefull in several cases. Rob I suggest adding this function to the Security class; it is the same function used in the Portals Starter Kit which was the successor to IBS Portal. public static string Encrypt(string cleanString) { Byte[] ClearBytes = new UnicodeEncoding().GetBytes(cleanString); Byte[] HashedBytes = ((HashAlgorithm) CryptoConfig.CreateFromName("MD5")).ComputeHash(ClearBytes); return BitConverter.ToString(HashedBytes); } // end Encrypt Call to string EncrptedPassword = Encrypt(password); Such that password will return something like D0-09-1A-0F-E2-B2-09-34-D8-8B-46-06-84-F5-97-89 Much more secure since you can't take this value and log on with it since it is the original password that produces this hash code. Somewhere in the code Add it to the code app_code -> Security -> Security.cs Around line 441 public static string SignOn(string user, string password, bool persistent, string redirectPage) which in turn gets executed in app_code -> Rainbow -> DAL -> UsersDb.cs Around line 994 public Rainbow.Security.User Login(int uid, string password, int portalID) I do realize that we'll have to do a reset password instead of a "I forgot my password" option. Jeff Flesher |