Jetendo CMS now supports encrypted passwords for user accounts

Mon, Feb 25, 2013 at 1:54AM

Currently, we store all passwords for user accounts as plain text in the database.  Since all of our web sites so far have not stored any sensitive information, it hasn't been an issue.

However, I wanted to encrypt the passwords so that Jetendo CMS can be more secure and follow more best practices.   In some cases, users will use the same password on our system as they do for other web sites which may hold their financial data.  If someone is able to recover the password for our web sites too easily, they may be able to gain access to the other accounts for our users.   We only allow 10 login attempts before blocking the IP + username, so it is unlikely someone would gain access through a brute force attack, but perhaps they'd be able to steal cookies on a user's system and get in like that.

I also don't think we should allow passwords to ever be retrieved - they should only be able to be reset.

We used to accept passwords as short as 3 characters and with a maximum limit of 20 characters before.  The minimum length is now 5 and there is no maximum length.

Many hash algorithms are used and the current version runs each hash algorithm 50,000 times to waste CPU time on purpose.  If anyone was able to steal the user database, it would be much more difficult for them to crack all the passwords when each one takes so long to compute.   Each user account also has a very long unique random salt.   The salt is also updated every time the password changes.  A salt is important for making passwords unique.  If many users typed "bluewater" for their password, you wouldn't want them to all have the same value in the database.  Adding a salt to the string, allows the hash functions to return a different value for each password whether the password is unique or not.

The security of various hash algorithms changes over time as computers and weakness discoveries are made.  I've made the code easy to modify if we ever need to run a new algorithm on our passwords.

I'll begin moving our existing clients to the new encrypted password functionality soon.   Jetendo CMS will still offer plain text passwords as an option, but it will use encrypted passwords by default.  

Eventually, I want to implement options for Jetendo CMS that let you encrypt the contents of the database using public key encryption and other more complex cryptography algorithms so that Jetendo CMS could be used for advanced security applications.

Bookmark & Share