[Vtigercrm-developers] Portal passwords

Alan Bell alan.bell at libertus.co.uk
Thu Feb 18 10:27:12 GMT 2016


Hi all,

in 6.4.0 and all prior versions if you use the customer portal then 
passwords for your contacts are stored in plain text in the 
user_password field in the vtiger_portalinfo table. This isn't ideal for 
reasons everyone is familiar with.

this was noted in this issue
http://code.vtiger.com/vtiger/vtigercrm/issues/6

and code was proposed in this merge request that uses the crypt function 
to encrypt the passwords using a reasonable algorithm for password 
hashing, like this:
$salt='$2y$11$'.str_replace("+",".",substr(base64_encode(openssl_random_pseudo_bytes(17)),0,22));
         $password = crypt($password,$salt);

http://code.vtiger.com/vtiger/vtigercrm/merge_requests/13

It is code we have running in production and it works great. However, 
the code that made it into the tree for 6.5.0 is this:

http://code.vtiger.com/vtiger/vtigercrm/commit/010dcbf67fdfb594c08c0c1a693740072a65085b

which does an MD5 hash of the password rather than using crypt, so in 
the 6.5 migration script it will do:
'UPDATE vtiger_portalinfo SET user_password=MD5(user_password)';

which is an unsalted hash using a hashing algorithm that isn't 
considered secure enough any more. Using an unsalted hash means that a 
password encrypts to the same thing every time, so you could for example 
search for anyone using "5f4dcc3b5aa765d61d8327deb882cf99" and you know 
that their password is "password" but with a salted hash you can't use 
rainbow tables to retrieve passwords.

There are other use-cases for doing encryption properly. If using the 
standard functions for encryption it is possible to sync password 
changes with other systems, for example Moodle or Joomla or Wordpress 
all use crypt compatible hashes, so if you want to have single-passwords 
between the customer portal and other systems using this MD5 thing won't 
work.

I hope other people have opinions on this, I just want to open the 
discussion on it before 6.5.0 is released and it is too late to do it 
properly as once the migration has happened your contact passwords will 
not be easy to upgrade to crypt compatible hashes.

Alan.


More information about the vtigercrm-developers mailing list