umbraco Forum » Extending umbraco » Extending umbraco » Hashing umbracoUser passwords

Hashing umbracoUser passwords Options
Previous Topic · Next Topic
cvallance
Posted: Monday, June 23, 2008 6:21:00 AM
Rank: Newbie

Joined: 5/7/2008
Posts: 3
Location: Wellington, NZ
As you know, the passwords are stored in the database as plain text by default.

Now, I've just recently finished developing a site and only just found this out, I've asked the client whether this will be a problem or not and I just know that the answer is going to be yes... So I've been trying to find information on how to go about this and found a few leads* but they all seem to go cold.

Could someone please save me the time and effort and outline how I go about hashing the passwords in the umbracoUser table. Thanks.

I should mention that I don't care for members, I only care about users.

The best I could come up with is adding this to my web.config:

<membership defaultProvider="UmbracoMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear/>
<add name="UmbracoMembershipProvider"
type="umbraco.providers.UsersMembershipProvider"
passwordFormat="Hashed"
enablePasswordRetrieval="false"
enablePasswordReset="false"
requiresQuestionAndAnswer="false"/>
</providers>
</membership>

but it obviously doesn't do the trick.

Thanks in advance for your help!

Ps. I'm using v3.0.5


* http://www.codeplex.com/umbraco/WorkItem/View.aspx?WorkItemId=15264
http://www.codeplex.com/umbraco/WorkItem/View.aspx?WorkItemId=6386
plus other pages...
Back to top
 
NeilG
Posted: Monday, June 23, 2008 10:19:06 AM

Rank: Aficionado

Joined: 12/15/2006
Posts: 113
I think Membership is only available in the upcoming release of umbraco v4. v3.0.5 uses a "baked-in" method, "User.validateCredentials()", which tries to select the ID from the umbracoUser table based upon the provided username & password.

You could use a trigger to hash the password when its inserted, but there is no trigger for SELECT statements, so there's no way to hash the password whens its passed to "User.validateCredentials()".

Best bet is to wait for v.4 or get the source code of v.3.0.5 and add your own code.

___________________________________________________________________________________

Neil
Back to top
 
Ruben
Posted: Monday, June 23, 2008 11:29:11 AM

Rank: Aficionado

Joined: 12/21/2007
Posts: 169
Location: Belgium
And you can always use other membership providers that do encrypt or hash the password.
Ruben Verborgh | Umbraco Core Team Developer | Working on: Data layer table utility. | LinkedIn
Back to top
 
widescreen
Posted: Monday, June 23, 2008 2:28:52 PM

Rank: Newbie

Joined: 3/29/2008
Posts: 14
Location: NC
Ruben wrote:
And you can always use other membership providers that do encrypt or hash the password.


But won't that require v4 in order to implement membership profiles?
Back to top
 
NeilG
Posted: Tuesday, June 24, 2008 12:34:56 PM

Rank: Aficionado

Joined: 12/15/2006
Posts: 113
Yes, you would need v4.
If you need this in 3.0.5 you'll need to get the source code and modify.

Thinking about it ... the code relies on a table "umbracoUser". Would it be possible to rename the table, then write a view called "umbracoUser", in which you could have a function to unencode the clear text password?

Code:

-- View named "umbracoUser"
-- You'd have to list all the columns
SELECT id, userDisabled, userName, userLogin, dbo.UnEncodePassword(userPassword) FROM umbracoUser


The internal "User.validateCredentials()" call would still work but now it selects off the view.

Code:

"select id from umbracoUser where userDisabled = 0 " + str + " and userLogin = @login and userPassword = @pw"



Problem is you need to update all the dependencies that relied on the original "umbracoUser" table.
Updating/inserting users is an obvious issue ....


___________________________________________________________________________________

Neil
Back to top
 
cvallance
Posted: Tuesday, June 24, 2008 11:49:01 PM
Rank: Newbie

Joined: 5/7/2008
Posts: 3
Location: Wellington, NZ
Hi guys, thanks for clearing all that up for me... I had a feeling that it was v4 only but quite a few people mentioned the membership profiles but they never mentioned a umbraco version which, in turn, gave me hope.

Anyway, the client seems happy to have them unencoded for now... if they decide that they want them encoded at some stage I'll have to open up the source and have to play.

Really it shouldn't be a problem for them because they're going to have a staging site and then push the changes to the live site, this means I can give their live site's db user read access only and I can also ommit the whole 'umbraco' administration directory.

So therefore, if anyone manages to get their hands on the database / user passwords they'd then have to hack into their main network to actually use them... and if they manage that, I doubt they'd be changing some content on a staging website!

But in saying that, I'd understand if they wanted them encoded / hashed.

Thanks again guys,
Charles
Back to top
 
Users browsing this topic
Guest

umbraco Forum » Extending umbraco » Extending umbraco » Hashing umbracoUser passwords


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.