Clear text offeres
1) password remindes
2) Less security = more performance
The more you hash and secure things, the slower they will be… however this is not sucha worry for just logins.
And instead of password reminder you can offer a “Generate new password” feature.
The problem with just implementing this into 1.5.. its no so straightforward, you need to fix data for existing passwords as well.
[mailto:email@example.com] On Behalf Of Jeffrey MRA
Sent: Thursday, March 31, 2005 8:31 PM
Subject: RE: [Rainbowportal-devel] Security
I agree that this should be added as an option; I would suggest putting an entry in the Web.Config file.
I would like to know what advantages there are in a clear text database for passwords?
The only one I can think of is sending a user a forgotten password; which in itself is a bad idea from a security point.
I beta testing I can see this; that’s the one reason I agree to make it an option; the other being I don’t want to force anyone into using a feature they don’t need or want.
I look at this from a damage control security stance; anyone with admin rights (not to mention hackers) can use the Database tool to run a query against the user database and list all the passwords for all the portals; then in turn use this user names and passwords to log in and change content in a very malicious way if they wanted; and the changes would reflex the end users log on info that was stolen; even though the IP address wouldn’t; this is little consequence on a corporate web site and could be a major embarrassment at least and financial disaster or worse.
I understand that 1.6 will have a better security solution; this was just a hack to hold us over.
on 31/03/2005 7:44 Jeffrey MRA said the following:
I don’t like the clear text passwords in the database from a security point; I hope we all can agree on that.
I don't want be be a
pain, but I hope that encrypted password will be an option, a default option maybe, but still an option.
Because having them not encrypted has proven us very usefull in several cases.
I suggest adding this function to the Security class; it is the same function used in the Portals Starter Kit which was the successor to IBS Portal.
public static string Encrypt(string cleanString)
Byte ClearBytes = new UnicodeEncoding().GetBytes(cleanString);
Byte HashedBytes = ((HashAlgorithm) CryptoConfig.CreateFromName("MD5")).ComputeHash(ClearBytes);
} // end Encrypt
string EncrptedPassword = Encrypt(password);
Such that password will return something like D0-09-1A-0F-E2-B2-09-34-D8-8B-46-06-84-F5-97-89
Much more secure since you can’t take this value and log on with it since it is the original password that produces this hash code.
Somewhere in the code
Add it to the code
app_code -> Security -> Security.cs
Around line 441
public static string SignOn(string user, string password, bool persistent, string redirectPage)
which in turn gets executed in
app_code -> Rainbow -> DAL -> UsersDb.cs
Around line 994
public Rainbow.Security.User Login(int uid, string password, int portalID)
I do realize that we’ll have to do a reset password instead of a “I forgot my password” option.