Sha1

Hi,

Currently security assist uses sha1 hashing, i have read around that there are better hashing methods out there such as sha512 etc.

will security assist be updating to this and is sha1 secure enough to use for now?

many thanks

there are currently no plans to include any different hash algorithms in future versions of security assist, but you can post a request in the wishlist forum to have this taken into consideration.

the only real difference between an sha1 encrypted string and sha512 is the length.

sha512 is 129 characters long versus 40 characters.

both are one way encryption algorithms, meaning they cannot be decrypted.

sha1 is secure enough.

thanks jason, just wanted to clarify the difference.

but if sha1 is secure enough, then happy with that.

thanks again for the response

This post has been deleted.

Hi I have all the extensions of webassist, but not all are working as they should, for example I've read in this forum about the sha algorithm but how do I activate it when I use the security assist wizzard? Becuase when I finish the wizzard, and then I register the password is not encrypted, also I discovered that when you use a template in the wizzard all the files are missed placed in the site.

Daniel,

There has been a bug that was discovered by the WA team and few of us users where we found that the Security Assist folder gets added outside the root html folder. I think Jason said they were working on discovering what was causing it but it was still not known as of a few days ago. To fix, you just have to move the folder into your main HTML folder.

To use SHA1, you just need to apply it -- it's not something you activate.

To apply it, just go to your insert record behavior on your registration page. When you open the behavior, you can click next to assign the values from your form to the correct database column. You will also see "formatting". So you would go down to your password column, select the lightning bolt and select the password form input field if it is not already there... then select the formatting drop down and click on WebAssist SHA1 Encryption.

You will also need to change your login form to apply SHA1 to the password BEFORE it compares it to the value in the database. That way, your comparing the SHA1 encrypted entry against the SHA1 encrypted database field.

But remember, you will also need to change your password retrieval system as well. Once a password is encrypted with SHA1, you won't be able to decrypt and send it back to someone if they forget. So, when a user forgets their password and clicks "Forgot Password", you will actually need to create a whole new temporary password (which you can email back to them before it gets encrypted) and then they will be able to login with the new one and change their password to whatever they like.

Here is a great video tutorial on the whole process: securityassist/

Go to Solution Recipes and click on "Modifying Registration".

Best regards,

Brian