|
|
Rank: Aficionado
Joined: 12/15/2006
Posts: 113
|
We've actually had a client refuse to use Umbraco on the grounds that administration passwords are stored as clear text.
I've read somewhere that the Members passwords are now hashed. Can we do the same for password stored in the "umbracoUser" table?
Any way for to do this without editing my source?
___________________________________________________________________________________
Neil
|
|
Rank: Umbracoholic
Joined: 9/8/2006
Posts: 1,696
Location: KY, USA
|
I agree that passwords shouldn't be stored in plaintext for users, members, or anyone. My understanding is that this has been reported on CodePlex and is/has been addressed for a future release. Now, I'm not in any way disagreeing with the client, but I would add that if someone has access to the database to issue random SQL calls to query the database directly... they don't need passwords for umbraco users any more... you've got a much more significant security problem than simply knowing a few umbraco logins. Yes, this should be fixed. But I don't (personally) think the scenario described is as concerning in reality as it first seems. cheers, doug.
MVP 2007-2009 - Official Umbraco Trainer for North America - Percipient Studios
|
|
Rank: Addict
Joined: 7/19/2006
Posts: 649
Location: Preston, UK
|
Guys,
I know Per covered this on another post and to paraphrase him if someone has manged to get to your db regardless of password being hashed or not your up the creek without a paddle.
Regards
Ismail
Level 2 certified. If it aint broke dont fix.
|
|
Rank: Aficionado
Joined: 12/15/2006
Posts: 113
|
Heres a thought: 1. Put a trigger on the "umbracoUsers" table to essentially hash the password with MD5 everytime theres an insert/update. Theres a "HashBytes" in SQL Server 2005 to hash varchars. 2. I could write my own provider to handle the logging in. The login.aspx page has the following: Code:
// Authenticated users using any of the membership providers specified
foreach (MembershipProvider provider in Membership.Providers)
{
//if (Membership.ValidateUser(lname.Text, passw.Text))
if (provider.ValidateUser(lname.Text, passw.Text))
{
If I rolled my own class, with its own ValidateUser() method, (to MD5 the users password, then compare to username and password in the dB), implementing System.Web.Security.MembershipProvider. 3. Replace the default provider in the web.config to use mine. Would that work?
___________________________________________________________________________________ Neil
|
|
Rank: Aficionado
Joined: 12/15/2006
Posts: 113
|
Just to finish this one off ...
Downloaded the latest build and can confirm that the new umbraco Membership Providers, (for both umbraco Members and Admins), allow for the password to be stored in clear, encrypted or hashed format, all configurable via the web.config.
Cool!
___________________________________________________________________________________
Neil
|
|
Rank: Newbie
Joined: 5/7/2008
Posts: 3
Location: Wellington, NZ
|
NeilG wrote:Downloaded the latest build and can confirm that the new umbraco Membership Providers, (for both umbraco Members and Admins), allow for the password to be stored in clear, encrypted or hashed format, all configurable via the web.config. I guess that was the v3.0.3 build? I'm still stuck, how do I set this up in the web.config file? I'm interested in hashing the umbracoUser's passwords. Not particularly interested in members, but it wouldn't hurt. Thanks, Charles
|
|
Rank: Fanatic
Joined: 7/19/2006
Posts: 492
Location: Göteborg, Sweden
|
No, it was probably the 4.0 build, membership providers hasn't been part of any release before... (but it has been included in the source branch at Codeplex for some time...) // ;) Kalle
" - Yeah I'd like to share your point of view, as long as it's my view too... ( http://www.d-a-d.dk/lyrics/pointofview)
|
|
|
Guest |