close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Password encryption

Thread began 6/15/2010 5:35 pm by akstudio | Last modified 6/18/2010 2:27 pm by Eric Mittman | 1640 views | 6 replies |

akstudio

Password encryption

I am up and running with the solution pack, I have several users already with accounts. Now, I would like to implement password encryption.

1. How would I go about this, and (I have security assist, etc)

2. Is it too late for the people already registered? Meaning, will they have to register again, or is there a way I can use a tool to encrypt their password and paste it back into the password field... without them ever realizing it?

I ask #1 because it has a password recovery utility and I am unsure if that needs to be reworked.

Thanks in advance.

Sign in to reply to this post

Eric Mittman

You could apply the encryption on the password value in the insert server behavior on the registration page. This will make it store as encrypted, next you would need to update the login page to encrypt the value that the user is entering before it is compared to the value in the db.

We have a Solution Recipe that covers the process but it is not specific to the URSP. I would suggest that you get an understanding of the process from this before you try to apply it to your site. Make sure to backup any pages before you work on them.

securityassist/

As for updating the existing users it is possible to do this but it would require you to access the records in the db, pull up the password value, then encrypt it and update the record with the encrypted password. There is not server behaviors or automatic process for doing this, you can do it manually in the db or you can do it with a php page.

Sign in to reply to this post

akstudio

ok Thanks a ton. I now have this working ... everything is encrypted.

2 more quick questions.

1. I have full access to the db, phpmyadmin, etc... how can I go about encrypting each password by hand, then inserting it into the db? ...as you mention in your answer above. Is there a tool for this?

2. Now that I have set the encryption within my reg page... was there an asset created in a WA_ folder that is required to be uploaded along with the edited registration page? .I checked and did not see anything out of the norm.

Thnks

Sign in to reply to this post

Eric Mittman

There is not a server behavior or automatic process for updating the password but you could create a page to do this.

The page would need a recordset to pull the users records from the db. Next you would add an update server behavior to the page. For the update you can just update the password field and reference the value from the recordset but choose to format it with sha1. This should update the user's record with an encrypted version of the password. If you were to do this manually you could have a page with a form on it that you enter the old password in, then have the form submit to the same page and use the bindings to show it on the page. After you put the binding on the page you can put the sha1 formatting around it to have it give you the sha1 version of the value.

There is also probably websites out there that can do this for you as well but I would not recommend entering passwords into a website.

As far as any new files to upload you may need to update the sha1 file if it was not there previously. Re-uploading the entire folder might not be a bad idea just to be sure.

Sign in to reply to this post

akstudio

I've followed along as close as possible, but I am missing something..

This is what I have done...

Added SHA1 to the registration page.

Added SHA1 to the user_profile_detail page

Logged into the system, and updated the password.

I figured, that now the reg form and the update profile, with the SHA1, would be the solution. But it is not. Upon changing my password, it does in fact encrypt it, as I see it in the "UserPassword" field, however, trying to log back in does not work, BUT... if I copy the long string of character it created (and placed in the field) and use THAT for the log in... it works.

Im not sure if I followed your instructions correctly.

Also, upon thinking this a bit deeper.... will i need to add some sort of behavior on the "forgot password" section? It seems that once it is encrypted, and a user requests it, they will get a long string of character... I have yet to test this, as I am working on localhost.

Sign in to reply to this post

akstudio

... going through the tutorials now, thanks... it's clearning things up

Sign in to reply to this post

Eric Mittman

For the login you will need to apply sha1 formatting to the posted password value in the Authenticate User server behavior.

For the forgot password you will have to redo this part with a generate new password page instead. The idea is that the user indicates that they forgot their password and an email is sent with a password reset link. The user clicks on this link and a new randomly generated password is sent to them. On the page that sends it you need to store it in a session variable then encrypt the value and update the record in the db with it. In the Universal Email server behavior you will use the session variable that holds the unencrypted value.

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...