FireBoard
Welcome, Guest
Please Login or Register.    Lost Password?
FireBoard OpenKM Roadmap New features discussion
Password encryption (1 viewing) (1) Guest
Go to bottom Post Reply Favoured: 0
TOPIC: Password encryption
#2792
dhmitchell (User)
Fresh Boarder
Posts: 3
graphgraph
User Offline Click here to see the profile of this user
Password encryption 8 Months, 2 Weeks ago Karma: 0  
I'm surprised that the DB stores the passwords as plain text and that the client passes the password to the server as plain text. Am I missing something?

Users frequently use the same password or variants on a password in multiple applications; so, visibility to a password even by "trusted" admins can compromise multiple systems.

We're planning on crippling getPass() and User.toString()'s password field in order to prevent anyone from seeing the password. We'll also use https from the client to server in order to protect the password and docs from sniffing. We'll also encrypt the password upon entry and store and test the encrypted password rather than plain text. I'd like to hash the password so it can't be decrypted, but I don't have time for that dramatic of a change.

Does anyone else need these changes? Does anyone else have a modification w/ these or similar changes? Are there other security requirements I should consider which should take less than a day? Will these changes cause any nasty side effects?
 
Report to moderator   Logged Logged  
 
Last Edit: 2009/06/26 16:40 By dhmitchell.
  The administrator has disabled public write access.
Go to top Post Reply
Powered by FireBoardget the latest posts directly to your desktop