RE: [Rainbowportal-devel] Security

[Jonathan M. <jon...@jo...>]

In 16.

Portal and or Site admin will be able to choose what level of security he
wants to use on passwords for their sites.

The system will default to some sort of undecided hash howver.

 

  _____  

From: rai...@li...
[mailto:rai...@li...] On Behalf Of
HolonCom Support
Sent: Thursday, March 31, 2005 6:53 PM
To: rai...@li...
Subject: Re: [Rainbowportal-devel] Security

 


on 31/03/2005 7:44 Jeffrey MRA said the following: 

I don't like the clear text passwords in the database from a security point;
I hope we all can agree on that.

I don't want be be a pain, but I hope that encrypted password will be an
option, a default option maybe, but still an option.
Because having them not encrypted has proven us very usefull in several
cases.
Rob




I suggest adding this function to the Security class; it is the same
function used in the Portals Starter Kit which was the successor to IBS
Portal. 

public static string Encrypt(string cleanString)

{

    Byte[] ClearBytes = new UnicodeEncoding().GetBytes(cleanString);

    Byte[] HashedBytes = ((HashAlgorithm)
CryptoConfig.CreateFromName("MD5")).ComputeHash(ClearBytes);

    return BitConverter.ToString(HashedBytes);

} // end Encrypt

Call to

string EncrptedPassword = Encrypt(password);

Such that password will return something like
D0-09-1A-0F-E2-B2-09-34-D8-8B-46-06-84-F5-97-89

Much more secure since you can't take this value and log on with it since it
is the original password that produces this hash code. 

Somewhere in the code

Add it to the code

app_code -> Security -> Security.cs

Around line 441

public static string SignOn(string user, string password, bool persistent,
string redirectPage)

which in turn gets executed in

app_code -> Rainbow -> DAL -> UsersDb.cs

Around line 994

public Rainbow.Security.User Login(int uid, string password, int portalID) 

I do realize that we'll have to do a reset password instead of a "I forgot
my password" option.

 

Jeff Flesher