adding encryption to login password box

hi,

i have generated my login page with security assist with a remember me option.

when i open my login page in DW and trying click on the password box and go to bindings to add encryption SHA1 it applies it to the cookies password, i cannot seem to click away from that and because of this when someone goes to the login page and ticks the remember me option then goes away and tries to login again it puts wont allow them to login takes them to the email password page as it has added more masked characters to the login password box.

can anyone help please?

many thanks

You should be editing your authenticate user server behavior for the posted login info and apply the formatting to the posted password element. If you have any further trouble with this post back with your login page so we can take a look at the issue.

thanks eric, when i open the authenticate server behaviour it opnes a 3 stage wizard.

1st is the table and redirect pages.
2nd then shows me the columns to authenticate, when i click the dynamic lightning bolt i have the WACookies then below i have the WA login form, i assumed i clicked the userpassword filed in my login box, click format and choose sha1 encryption.

i done this and uploaded and it redirected me to my email password box.

when i take this out, it then works again.

can you advise?

many thanks

So you can have users login so long as you are not formatting the password with the sha1 correct?

This means that you are not storing the password encrypted in the db. You must have an encrypted password in your db for that user in order to use this functionality when logging in.

It is only when you store an encrypted password that you need to format the user's entered password with sha1. If you are not storing the password in sha1 format then you should not format the user's password when they are logging in.

thanks eric, i now see what i need to do.

if i want to use encryption on login but have existing users and will be registering the users manually via mysql database how can i set the password to match the encrypted?

can it be done and do you need to use the encryption?

many thanks

If you are using encryption on login it means that you are storing the passwords in an encrypted format in your db. If the passwords that exist are not stored like this then there is no need to have an encrypted login.

To make the login work with encryption you will first need to update your registration process so that you are inserted the encrypted version of the password for the user. If you have existing users you will need to make sure that you update the passwords that are in your db to be the sha1 encrypted version of that password.

If you register the user's yourself you could just update your registration page and re-register the existing users, this should get them to have an encrypted password in the db.

thanks eric, i register users myself straight into the database, so maybe i will create a form and do it from there so it is encrypted.

other than that is there a way to show the encrypted version of a password?

maybe an online site converter?

also one last thing if you dont mind, is it best to use sha1?

is it an issue not to use any encryption?

many thanks

I'm not sure that I understand what is being asked here:

  other than that is there a way to show the encrypted version of a password?  

If you would like to see an encrypted version of any value you can output it with php like this:

<?php print(sha1("the value to show as encrypted")); ?>

There are other methods of hashing a value that do not rely on sha1. It will create a hash value for you, but how safe it is depends on who you ask. I think in general it would be fine for most instances, but there are others out there that might produce a larger harder to crack hash. You should be able to find out more about them by searching the php site.

Thanks Eric for your help with this, having trouble though maybe you can help.

I create a Users_Update page by creating a recordset which filters on session variable = UserID

When i add in the update record it updates all the information correctly. I then added the encryption SHA1 onto the text fields "Password and Confirm Password" boxes i created well what i thought i had done however it was not that, it was in the bindings panel of my recordset that it changed it to encryption SHA1. Not sure if this is the right way to do it Eric, as it encrypts the value that is currently in the box but when i insert a new password it goes into the database the way i key it in. How should it store the password in the database, encrypted or not? How do i add it to encrypt the password when updated and inserted and not the actual value that i have in the update page?

Thanks eric again for your help and sorry if this is a simple fix.

On any page that is adding the password to the db you will need to encrypt the value when it is being inserted. So in an insert server behavior you would apply the sha1 to the value that you are setting for the password column. This is the same for any page that sets the password in the db, you format it within the insert or update server behavior.