[Vtigercrm-developers] Portal passwords
Alan Bell
alan.bell at libertus.co.uk
Thu Feb 18 10:27:12 GMT 2016
Hi all,
in 6.4.0 and all prior versions if you use the customer portal then
passwords for your contacts are stored in plain text in the
user_password field in the vtiger_portalinfo table. This isn't ideal for
reasons everyone is familiar with.
this was noted in this issue
http://code.vtiger.com/vtiger/vtigercrm/issues/6
and code was proposed in this merge request that uses the crypt function
to encrypt the passwords using a reasonable algorithm for password
hashing, like this:
$salt='$2y$11$'.str_replace("+",".",substr(base64_encode(openssl_random_pseudo_bytes(17)),0,22));
$password = crypt($password,$salt);
http://code.vtiger.com/vtiger/vtigercrm/merge_requests/13
It is code we have running in production and it works great. However,
the code that made it into the tree for 6.5.0 is this:
http://code.vtiger.com/vtiger/vtigercrm/commit/010dcbf67fdfb594c08c0c1a693740072a65085b
which does an MD5 hash of the password rather than using crypt, so in
the 6.5 migration script it will do:
'UPDATE vtiger_portalinfo SET user_password=MD5(user_password)';
which is an unsalted hash using a hashing algorithm that isn't
considered secure enough any more. Using an unsalted hash means that a
password encrypts to the same thing every time, so you could for example
search for anyone using "5f4dcc3b5aa765d61d8327deb882cf99" and you know
that their password is "password" but with a salted hash you can't use
rainbow tables to retrieve passwords.
There are other use-cases for doing encryption properly. If using the
standard functions for encryption it is possible to sync password
changes with other systems, for example Moodle or Joomla or Wordpress
all use crypt compatible hashes, so if you want to have single-passwords
between the customer portal and other systems using this MD5 thing won't
work.
I hope other people have opinions on this, I just want to open the
discussion on it before 6.5.0 is released and it is too late to do it
properly as once the migration has happened your contact passwords will
not be easy to upgrade to crypt compatible hashes.
Alan.
More information about the vtigercrm-developers
mailing list