powered by Jive Software

Security

I was just noticing how unsecure the passwords were, and some other things. Why aren’‘t they encrypted? After running through the admin console, I don’'t see any front-end reasons. I got a MD5/SHA1 encryption routine (with seeding) for MM Flash and JS, but I have no idea how to implement it on the user creation part. I could just create another PHP front-end to create the users, but it would be better to already be in there.

A MD5/SHA1 hashed password isn’‘t encrypted, it is a signature of the password. The advantage of hashing is that an unauthorized person accessing the database won’‘t see the user’'s password. But seeing the password is only useful if they use the same password on other websites. In a lot of ways, the disadvantages of using a stored hash outweigh the single advantage.

Hashing passwords is done to make the developer feel more secure, and to cover him in case someone were to use a password from that site to steal money from a paypal account using the same password. But if someone can break into your box, your users will hate you even if the passwords are hashed. So take that energy and focus it on securing the box and prevent unauthorized database access.

If you still want to use hashes, look at AuthProvider in the API documentation and check this out: http://www.jivesoftware.org/issues/browse/JM-291

Thanks! I didn’'t know about some of that…