Jetendo CMS now supports encrypted passwords for user accounts
Currently, we store all passwords for user accounts as plain text in the database. Since all of our web sites so far have not stored any sensitive information, it hasn't been an issue.
However, I wanted to encrypt the passwords so that Jetendo CMS can be more secure and follow more best practices. In some cases, users will use the same password on our system as they do for other web sites which may hold their financial data. If someone is able to recover the password for our web sites too easily, they may be able to gain access to the other accounts for our users. We only allow 10 login attempts before blocking the IP + username, so it is unlikely someone would gain access through a brute force attack, but perhaps they'd be able to steal cookies on a user's system and get in like that.
I also don't think we should allow passwords to ever be retrieved - they should only be able to be reset.
We used to accept passwords as short as 3 characters and with a maximum limit of 20 characters before. The minimum length is now 5 and there is no maximum length.
Many hash algorithms are used and the current version runs each hash algorithm 50,000 times to waste CPU time on purpose. If anyone was able to steal the user database, it would be much more difficult for them to crack all the passwords when each one takes so long to compute. Each user account also has a very long unique random salt. The salt is also updated every time the password changes. A salt is important for making passwords unique. If many users typed "bluewater" for their password, you wouldn't want them to all have the same value in the database. Adding a salt to the string, allows the hash functions to return a different value for each password whether the password is unique or not.
The security of various hash algorithms changes over time as computers and weakness discoveries are made. I've made the code easy to modify if we ever need to run a new algorithm on our passwords.
I'll begin moving our existing clients to the new encrypted password functionality soon. Jetendo CMS will still offer plain text passwords as an option, but it will use encrypted passwords by default.
Eventually, I want to implement options for Jetendo CMS that let you encrypt the contents of the database using public key encryption and other more complex cryptography algorithms so that Jetendo CMS could be used for advanced security applications.
Bookmark & Share
Popular tags on this blogPerformance |
Most Popular Articles
- Mass virtual hosting security tip when using a reverse proxy to connect to other servers
- Solution for MariaDB Field 'xxx' doesn't have a default value
- How to lock Windows immediately upon smart card removal
- Stop using sleep mode with Windows Bitlocker for better security. Learn how to use hibernate in Windows 8.
- Is Google Public DNS actually better then your ISP?
- Pros and Cons of CFML vs PHP and other languages
- Planning a system to visually create responsive data-driven web page layouts & widgets in the Jetendo CMS browser interface
- Run Windows Guest in CentOS 6 Linux Host using Virtualbox 4 via the command line