RE: [Rainbowportal-devel] Security
Brought to you by:
danijel_kecman,
manudea
From: Jeffrey M. <je...@my...> - 2005-03-31 18:31:55
|
I agree that this should be added as an option; I would suggest putting an entry in the Web.Config file. I would like to know what advantages there are in a clear text database for passwords? The only one I can think of is sending a user a forgotten password; which in itself is a bad idea from a security point. I beta testing I can see this; that's the one reason I agree to make it an option; the other being I don't want to force anyone into using a feature they don't need or want. I look at this from a damage control security stance; anyone with admin rights (not to mention hackers) can use the Database tool to run a query against the user database and list all the passwords for all the portals; then in turn use this user names and passwords to log in and change content in a very malicious way if they wanted; and the changes would reflex the end users log on info that was stolen; even though the IP address wouldn't; this is little consequence on a corporate web site and could be a major embarrassment at least and financial disaster or worse. I understand that 1.6 will have a better security solution; this was just a hack to hold us over. Jeff Flesher _____ on 31/03/2005 7:44 Jeffrey MRA said the following: I don't like the clear text passwords in the database from a security point; I hope we all can agree on that. I don't want be be a pain, but I hope that encrypted password will be an option, a default option maybe, but still an option. Because having them not encrypted has proven us very usefull in several cases. Rob I suggest adding this function to the Security class; it is the same function used in the Portals Starter Kit which was the successor to IBS Portal. public static string Encrypt(string cleanString) { Byte[] ClearBytes = new UnicodeEncoding().GetBytes(cleanString); Byte[] HashedBytes = ((HashAlgorithm) CryptoConfig.CreateFromName("MD5")).ComputeHash(ClearBytes); return BitConverter.ToString(HashedBytes); } // end Encrypt Call to string EncrptedPassword = Encrypt(password); Such that password will return something like D0-09-1A-0F-E2-B2-09-34-D8-8B-46-06-84-F5-97-89 Much more secure since you can't take this value and log on with it since it is the original password that produces this hash code. Somewhere in the code Add it to the code app_code -> Security -> Security.cs Around line 441 public static string SignOn(string user, string password, bool persistent, string redirectPage) which in turn gets executed in app_code -> Rainbow -> DAL -> UsersDb.cs Around line 994 public Rainbow.Security.User Login(int uid, string password, int portalID) I do realize that we'll have to do a reset password instead of a "I forgot my password" option. Jeff Flesher |