WebsiteBaker Community Forum

General Community => Global WebsiteBaker 2.8.x discussion => Topic started by: NorHei on January 28, 2012, 12:56:15 PM

Title: All users of the page need to reset passwords.
Post by: NorHei on January 28, 2012, 12:56:15 PM
Moving this from members forum  to public as i get no response.


As it was already discovered in this thread:
https://forum.WebsiteBaker.org/index.php/topic,21674.0.html
The pasword encryption used by WebsiteBaker is far too weak.

The dev team (aka Werner) is planing to use a script that has certain disadvantages
I attached it here so you don have to search for it (pwgen.php from SVN 1517)

The main disadvantage is that using this class passwords need to be reset by all users
1. When you update your WB installation to a version using that class.
2. If the Server ist updated and gets new encryption algos.
3. If you move to another server / webspace and this one has different encryption algos.

I guess all pepole that run small webdesign agencies can imagine the nightmare of all their clients
calling em because their Passwords do not work anymore and what to do about it . So this is a completely unaceptable solution.

After i found this problem , i browsed the web for a better solution and what you guess i found a solution thats  secure + 100% compatible:

I found a nice plain PHP-based SHA256 class  that uses serverbased encryption if available, and uses a software implementation as fallback. So SHA256 would always be available.

The only problem left was upgrading to the new version.

Considering that normal passwords are between 8-15 characters even whith md5() there will be no Collisions (2 values producing the same md5() result), so its perfectly save to take the existing md5 password and encode it 1000 times whith SHA256 to get an exelent secured Password in your Database.

So newly created passwords are encrypted 1 x md5() 1000 x sha256 and
existing passwords are encrypted  1000 x sha256 by the upgrade script.

The SHA256 class is LGPL so there will be no license problems ever.

Your opinions please!


[gelöscht durch Administrator]
Title: Re: All users of the page need to reset passwords.
Post by: dbs on February 02, 2012, 08:24:04 AM
Sounds great!
Where is the problem for Werner to use that?
Title: Re: All users of the page need to reset passwords.
Post by: NorHei on February 02, 2012, 08:50:29 AM
Its not made by him so its not perfect  :roll:
Title: Re: All users of the page need to reset passwords.
Post by: instantflorian on February 02, 2012, 09:17:18 AM
Hi,

well I am such a small  webdesign agency.

Please do NOT implement the next "security" feature which makes WB not usable any longer unless the "fix" is fixed ("Security offense!!! Acess denied!!!, you remember?!).
Please do NOT implement a security mechanism which makes it impossible to develop a WB site on a test server and then move it to the live system.
Please do NOT implement a security feature which forces every now and then to reset the password or stops working out of the blue.




Shocked
_florian.
Title: Re: All users of the page need to reset passwords.
Post by: NorHei on February 02, 2012, 10:17:29 AM
Relax a bit , if worst case this happens , i write a patch  :lol:
Title: Re: All users of the page need to reset passwords.
Post by: ruebenwurzel on February 02, 2012, 10:47:56 AM
Hello,

discussed this with the devs and they said there is absolutely no problem with this class if your server has PHP 5.3. So please cool down. PHP 5.3 should be the Standard of the most servers.

Matthias
Title: Re: All users of the page need to reset passwords.
Post by: badknight on February 02, 2012, 11:49:18 AM

Please do NOT implement the next "security" feature which makes WB not usable any longer unless the "fix" is fixed ("Security offense!!! Acess denied!!!, you remember?!)


You remember the Secure Form Switcher ;)?

Please do NOT implement a security mechanism which makes it impossible to develop a WB site on a test server and then move it to the live system.

Please do NOT implement a security feature which forces every now and then to reset the password or stops working out of the blue.[/b]

Just relax

I think it's not the big problem, to tell the user to reset his passwort on the first login..
Title: Re: All users of the page need to reset passwords.
Post by: DarkViper on February 02, 2012, 12:04:28 PM
Relax a bit , if worst case this happens , i write a patch  :lol:

Nice to hear that you'r willing to fix your own fault. ;-)

Remember:
The new class was inserted at your personal wish and on your urgent recommendation.


@all:
there is absolutely no reason for any worries.
This class is a reduced version of the Portable PHP password hashing framework.
Version 0.3 / genuine. Written by Solar Designer <solar at openwall.com>
The homepage URL for this framework is: http://www.openwall.com/phpass/

The class becomes extended with a backward compatibility to normal MD5-hashes used in WB till now.
All old passwords will be also valid in future..
Title: Re: All users of the page need to reset passwords.
Post by: NorHei on February 02, 2012, 12:30:41 PM
I recommended to add better password security, not adding extra trouble.
And dont try to tell us the trouble is necessary.

So its your fault if you ruin the implementation cause  you ignoring my complaints about the problems coming up with changing passwords. But i am happy to hear that you take this issue serious now.

Quote
there is absolutely no reason for any worries.

You told us the same bullschit when releasing the Secureform trouble , how about some proof.

How about posting your new problem free implementation here and now instead of pointing to another project.  Ah i got it you havent done it yet ?

Quote
The class becomes extended with a backward compatibility to normal MD5-hashes used in WB till now. All old passwords will be also valid in future..
If you keep the plain md5() for old passwords you still keep old paswords insecure too. 
If you want secured passwords you need to delete all Passwords again . So you leave us to the Option of having an unsecure system or having trouble upgrading.

this is completely unecessary as its easyly possible to have both secure passwords and compatibility.
Title: Re: All users of the page need to reset passwords.
Post by: instantflorian on February 02, 2012, 12:42:48 PM
@NorHei
+1
Title: Re: All users of the page need to reset passwords.
Post by: kweitzel on February 02, 2012, 12:52:24 PM
NorHei, what is wrong with you? The way I read DarkViper's post and by knowing how he works:

The new class will checking the login with the new System, if that does not verify it will check the "old" way and then, if that one is OK will convert the password with the new class. This means, that NOBODY will have to change their password and step by step as the users log in the old MD5 Password will be purged out of the system ... so what's the big deal in that?

Yeah, so he does not have the ability to put in words what he wants ... but that is NO reason to continue your attacks.

cheers

Klaus
Title: Re: All users of the page need to reset passwords.
Post by: sparkdigital on September 17, 2012, 08:58:19 AM
Gentlemen, I was shocked to read how leading members are dealing with one another in this thread. As it seems there are quite some unresolved personal issues between those who are supposed to take the lead with the WB project I fear for the future of WB.

As a result I think I might have to start looking elsewhere for another website CMS which saddens me as WB is such a little gem.

Konrad
Title: Re: All users of the page need to reset passwords.
Post by: Hans on September 17, 2012, 10:25:29 AM
Look at the date of the previous post.. I think it's getting better now.
Hans