Moving this from members forum to public as i get no response.
As it was already discovered in this thread:
https://forum.WebsiteBaker.org/index.php/topic,21674.0.htmlThe pasword encryption used by WebsiteBaker is far too weak.
The dev team (aka Werner) is planing to use a script that has certain disadvantages
I attached it here so you don have to search for it (pwgen.php from SVN 1517)
The main disadvantage is that using this class passwords need to be reset by all users
1. When you update your WB installation to a version using that class.
2. If the Server ist updated and gets new encryption algos.
3. If you move to another server / webspace and this one has different encryption algos.
I guess all pepole that run small webdesign agencies can imagine the nightmare of all their clients
calling em because their Passwords do not work anymore and what to do about it . So this is a completely unaceptable solution.
After i found this problem , i browsed the web for a better solution and what you guess i found a solution thats secure + 100% compatible:
I found a nice plain PHP-based SHA256 class that uses serverbased encryption if available, and uses a software implementation as fallback. So SHA256 would always be available.
The only problem left was upgrading to the new version.
Considering that normal passwords are between 8-15 characters even whith md5() there will be no Collisions (2 values producing the same md5() result), so its perfectly save to take the existing md5 password and encode it 1000 times whith SHA256 to get an exelent secured Password in your Database.
So newly created passwords are encrypted 1 x md5() 1000 x sha256 and
existing passwords are encrypted 1000 x sha256 by the upgrade script.
The SHA256 class is LGPL so there will be no license problems ever.
Your opinions please!
[gelöscht durch Administrator]
Support WebsiteBaker
