Far Beyond Code LLC

Bruce Kirkpatrick

Click here to see how google sees this page | Change Font Size: Smaller | Normal | Larger

Offering the best for less

Generate more leads and manage your online business with the best technology platform in the real estate industry. This online marketing solution for agents, teams and offices helps you increase your sales to new levels.

Look your best with our design services

Your web site is probably the first thing customers see before choosing to do business with you. Our designers understand how to communicate the image you want to represent.

"Search engine optimization" only means something when it actually works.

We don't sell you wonderful stories about your amazing online future. We know that most of our competitors just can't deliver. We'll make it easier for you through honesty, affordability and transparency.

Let us modernize the way you do business

Integrating disparate systems, enterprise search, custom intranets, ecommerce systems, automation, advanced reporting and analysis, online collaboration. You name it, we have done it.

Experience + Passion = MAXIMUM RESULTS

Since 2001, this labor of love has provided endless challenges. While many people struggle, Bruce eagerly solves complex computer problems. You need a passionate expert like Bruce on your team.

Jetendo CMS now supports encrypted passwords for user accounts

Follow me:

Mon, Feb 25, 2013 at 1:54AM

Currently, we store all passwords for user accounts as plain text in the database. Since all of our web sites so far have not stored any sensitive information, it hasn't been an issue.

However, I wanted to encrypt the passwords so that Jetendo CMS can be more secure and follow more best practices. In some cases, users will use the same password on our system as they do for other web sites which may hold their financial data. If someone is able to recover the password for our web sites too easily, they may be able to gain access to the other accounts for our users. We only allow 10 login attempts before blocking the IP + username, so it is unlikely someone would gain access through a brute force attack, but perhaps they'd be able to steal cookies on a user's system and get in like that.

I also don't think we should allow passwords to ever be retrieved - they should only be able to be reset.

We used to accept passwords as short as 3 characters and with a maximum limit of 20 characters before. The minimum length is now 5 and there is no maximum length.

Many hash algorithms are used and the current version runs each hash algorithm 50,000 times to waste CPU time on purpose. If anyone was able to steal the user database, it would be much more difficult for them to crack all the passwords when each one takes so long to compute. Each user account also has a very long unique random salt. The salt is also updated every time the password changes. A salt is important for making passwords unique. If many users typed "bluewater" for their password, you wouldn't want them to all have the same value in the database. Adding a salt to the string, allows the hash functions to return a different value for each password whether the password is unique or not.

The security of various hash algorithms changes over time as computers and weakness discoveries are made. I've made the code easy to modify if we ever need to run a new algorithm on our passwords.

I'll begin moving our existing clients to the new encrypted password functionality soon. Jetendo CMS will still offer plain text passwords as an option, but it will use encrypted passwords by default.

Eventually, I want to implement options for Jetendo CMS that let you encrypt the contents of the database using public key encryption and other more complex cryptography algorithms so that Jetendo CMS could be used for advanced security applications.