[Vtigercrm-developers] customer portal with salted hashed passwords
Alan Bell
alan.bell at libertus.co.uk
Thu Sep 5 21:21:11 UTC 2013
Hi all,
I was a bit uncomfortable with the plain text passwords in the customer
portal, so based on the comments here
http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6781 I implemented MD5
hashed passwords, (slight modification from the instructions as contact
saving event moved to ContactHandler.php) but then based on the fact
that MD5 isn't very good
http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
I ripped out the MD5 stuff and replaced that with the crypt function, so
it now does salted and blowfish hashed passwords. The emails still send
the passwords in plain text and requesting your password again emails a
replacement password, so anyone knowing your email address can annoy you
by repeatedly resetting your password, so there is still room for
improvement, but I think this is quite a good start.
I will try and sort out the bits into some kind of patch, this is on top
of a somewhat hacked about portal already so I might have to start again
from a clean portal to share the code, but I thought folk might be
interested that it has been done at least
Alan.
--
Libertus Solutions
http://libertus.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130905/7b3f5bb0/attachment.html>
More information about the vtigercrm-developers
mailing list