About passwords

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
6/13/2006 11:51:13 PM
Gravatar
Total Posts 68

About passwords

Have a question about passwords in the database. What is the difference between "Encrypted in db" and "Hashed in db/Connot be recovered" ? It seems that the later isnt working, when I set the sitesettings to use "hashed in db" and then created a new user, the password was stored in plain text..

 

Thanks,

Christian

6/14/2006 12:47:00 AM
Gravatar
Total Posts 68

Re: About passwords

It seems that you cant log in when first creating a user with password "hashed in db" . (Probably because its stored i db in plain text).

Also, when when creating a user from admin pages in "encrypted in db" mode it works ok, but when i use "Register" function i recieve this error:

An exception of type 'MySql.Data.MySqlClient.MySqlException' occurred in mojoPortal.Data.DLL but was not handled in user code

Additional information: #22001Data too long for column 'Password' at row 1

I think an overview of the password functions would be a good idea. And maybe add a way when changing password mode to rewrite the passwords in db so everyone can log in.

 

Thanks,

Christian 

6/14/2006 12:50:18 AM
Gravatar
Total Posts 68

Re: About passwords

One more thing, i cant log in a user in the "enypted in db", created in the same mode.
6/14/2006 2:51:41 AM
Gravatar
Total Posts 18444

Re: About passwords

Hi Christian,

Yes the password formats need more testing and some documentation before the release and possibly some feature to assist in changing from one format to another.

That MySQL issue is a bug in the table script, need to change that column from varchar(50) to varchar(128). That is also the reason you can't login with the created user, fix the column and create a user and it should work. May also need to check the dbPortal methods for user create and update methods as the params may also be defined as varchar(50). I'll look into fixing these issues tonight and commit to svn.

If you login with site site configured as cleartext then change it to one of the others, you need to update your password before you log out so it gets converted.

I agree we need to code it so it adapts existing users when changed with the following use cases:

Cleartext change to encrypted - encrypt plain passwords for exisitng
Cleartext change to hashed - hash passwords for exisiting users
Encrypted changed to cleartext - decrypt passwords
Encrypted change to hashed - decrypt then hash passwords
Hashed to cleartext - replace password with random password
Hashed to encrypted - replace passwords with random passwords then encrypt them

obviously the change form hashed to anything else is the most problematic since users passwords will all be reset.

None of the above is done yet but this is what I think we need to do before the 2.1 release

Cheers,

Joe
6/19/2006 3:38:42 PM
Gravatar
Total Posts 18444

Re: About passwords

I just commited the code to svn branches/2.1 that should take care of converting existing passwords for the use cases mentioned. I haven't tested it though so if you have any time to test it would be a big help. I plan to test this weekend using a backup copy of this site so I can make sure it works when there are a decent number of users in the site. I implemented it to do the password changes on a new thread so it doesn't cause any UI performance problems if there are a lot of users.

Cheers,

Joe
6/19/2006 4:24:26 PM
Gravatar
Total Posts 18444

Re: About passwords

Also, I think I fixed the bug about hashed being stored as clear text.

Hashed is encrypted with one way encryption which cannot be reversed. To login the password entered is hashed and then compared to the hashed version, if it matches the login is ok. Encrypted is handled the same way for login but passwords can be recovered if forgotten because the encryption is 2 way and can be decrypted.

I will add some documentation for this in the Site Administration section soon.

Cheers,

Joe
6/25/2006 8:39:48 AM
Gravatar
Total Posts 18444

Re: About passwords

Hi Christian,

My initial commit had some problems (I had not tested as I mentioned before) but I have re-worked it and tested with a copy of the db from this site changing the password format and it seems to be working correctly now.
Also had to add a machine key to the web.config.

I've committed to branches/2.1

Cheers,

Joe
You must sign in to post in the forums. This thread is closed to new posts.