[Vtigercrm-developers] customer portal with salted hashed passwords

Alan Bell alan.bell at libertus.co.uk
Thu Sep 5 21:21:11 UTC 2013


Hi all,
I was a bit uncomfortable with the plain text passwords in the customer 
portal, so based on the comments here 
http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6781 I implemented MD5 
hashed passwords, (slight modification from the instructions as contact 
saving event moved to ContactHandler.php) but then based on the fact 
that MD5 isn't very good 
http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
I ripped out the MD5 stuff and replaced that with the crypt function, so 
it now does salted and blowfish hashed passwords. The emails still send 
the passwords in plain text and requesting your password again emails a 
replacement password, so anyone knowing your email address can annoy you 
by repeatedly resetting your password, so there is still room for 
improvement, but I think this is quite a good start.

I will try and sort out the bits into some kind of patch, this is on top 
of a somewhat hacked about portal already so I might have to start again 
from a clean portal to share the code, but I thought folk might be 
interested that it has been done at least

Alan.

-- 
Libertus Solutions
http://libertus.co.uk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130905/7b3f5bb0/attachment.html>


More information about the vtigercrm-developers mailing list