Project

General

Profile

Actions

Bug #2444

closed

user passwords are stored in clear text in the database

Added by Chad Berkley over 18 years ago. Updated about 18 years ago.

Status:
Resolved
Priority:
Immediate
Assignee:
Category:
misc
Target version:
Start date:
05/25/2006
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
2444

Description

User's passwords stored in the usr.password table/column are stored in clear text. This allows a system administrator to view any users password. These should be encrypted so that no one can ever see another person's password.

Actions #1

Updated by Michael Lee over 18 years ago

I don't know how to do this. I have snooped around the postgresql site to try and figure it out. It seems we need the "pgcrypto" add-on package, which is part of the core distribution according to http://www.postgresql.org/download/

I have not been able to use the crypto and gen_salt('MD5') functions, however.

Example functions are here:
http://www.varlena.com/varlena/GeneralBits/38.php

and apparently we can install the package with a "make" command, then load the functions into template1 or vegbank and it should work. We will have to configure our authentication to deal with the encrypted values in the db instead of just seeing if the value supplied on the login form matches the value in the database.

Actions #2

Updated by Chad Berkley over 18 years ago

I've altered the password system so that it now accepts and stores MD5 digests instead of clear text passwords. I've altered the login and password change functionalities to use the new system. I just need to alter the 'email me my password' function since we no longer know the users password. this functionality will have to be changed to email the user a temp password then have them login and change it. this is much more secure than emailing them their own password anyway.

Actions #3

Updated by Chad Berkley over 18 years ago

The email password function now works. It creates a random password and emails that the the user asking him/her to change it ASAP. The message now reads:

Dear VegBank user,
Your password has been reset to: 462804340

Please login as soon as possible and change your password.

VegBank Support Team

Email:
Website: http://vegbank.org

I've thouroughly tested this and think it's working well. I also wrote a utility to update all of the current clear text passwords with the MD5 digests.

Actions #4

Updated by Redmine Admin over 11 years ago

Original Bugzilla ID was 2444

Actions

Also available in: Atom PDF