Hi Guys,

A suggestion.

I noticed that you're storing passwords un-encrypted in the user table. This is one thing that you folks should change for security reasons.

mysql has a built in "password(string)" function.

Shri

We *could* store encrypted passwords in the user tables, although there seems little point considering that this info can be accessed by administrators only.

Saying that, would anyone else be interested in storing passwords in an encryted form in the database?

All the best :)

James

James,

The point is not how strong the encryption is (we've been through this several times over at the other boards forums), but to prevent easy viewing of the passwords.

I personally do not want to be able to 'accidentally' view a password when I do a 'select * from user'....

Having said that .. LOVE the software so far.

Was such a breeze to modify the layout using the templates. You folks have put some pretty cool stuff in there that I'd been looking for in the phpSlash and Slash packages. Kudos!

Shri

The thing about using the password function is that it is a one way algorithm - the user cannot retrieve the password if it is lost. I will consider if there are better ways for storing passwords in future versions though.

John

Are passwords still stored unencrypted? Since the "I forgot my password" feature mails the unencrypted password I'm guessing things are still not encrypted. This does not seem good security-wise since anyone who could hack into the computer (or an underhanded sysadmin) could steal passwords.

I have mixed feelings about this... I really think that there should be an option (control panel flag) to have passwords encyrpted in some fashion, even though no one should be able to do a SELECT against my database, the possibility is there. As far as the user forgeting their password, I would just email them a new temporary password to get back in, which they can then change.

-Chris

I really don't see a point to having it encryted, as its stored in a DB that noone else has access to. As for a sysadmin, I think they have more important problems to tend to with other customers than go around looking for peoples vB DBs and looking at PWs.
Its not like UBB where everything was stored in easily accessible files, this is an unaccessible DB.

On a side note, with UBB everyone wanted the hack to view PWs through CP, and now its a bad thing for the admin to see the pass, doesn't make sense to me.

Then again, I could be completely wrong :)

Well I see your point here, but....

Anyone and everyone can attempt to gain access to your MySQL database, they just need to connect to your server/port. Now of course they would have to guess your password, but still it IS possible, just like it IS possible for someone to guess my FTP password and gain access to UBB's user files. Of course since the UBB files are also in a web directory, that makes them LESS secure then a database, but still....

I think there are many, many people that would be very upset by thier password being compromised. I know I would loss most of my visitors, and might even be sued if it happend. This is why I would store them as encypted, just to give myself that little extra piece of mind.

-Chris

but still, even encrypted passwords CAN be compromised, if the person really knows what they are doing, its just harder is all.

Oh I realize that... I am sure the encyption used in PHP could be broken in less then a few hours on a normal PC... however, this is enough of a pain to discourage someone from doing it... now if they were credit card #'s, you would want a higher level of encyption.

There was an incident on a UBB site where someone gain access to the Members directory and posted all the password (just for fun... ). Now if they were encypted, they would never had bothered to even try to de-crypt them (the information wasn't valuable enough to warrant the time).

If someone got my site's passwords and they were stored without any encyption, my users would be very upset. However, if they were encypted and someone took the time to de-crypt them all, I am sure they would be less upset by it.

-Chris

well, I SUPPOSE thats a good point, Chris...STOP FOLLOWING ME! :)

LOL taker... we seem to be jumping back and forth between the same threads today huh?

I think it shouldn't be mandatory to use encyption, but I would love to see it added as a control panel option for those of us (me :)) that would use it

-Chris

today, and yesterday, and the day before
I seem to have nothing better to do, this summer has been pretty boring...summer school doesn't help either!

Well, if it were an option I'd probably use it, why not? its there. But I don't think it should be placed too high on the priority list.

Originally posted by thetakerfan
But I don't think it should be placed too high on the priority list.

I'll agree with you here... it's not critical and there are other things I'd like to see first... but I would use it as well.

-Chris