Some background information... We changed the default password encoding in 6.2 because storing passwords in plain text creates an opportunity for unauthorised hackers to get the passwords of every user on the system. The frequency of incidents of hackers stealing stored passwords of online systems have been increasing over the years. Storing passwords as secure hashes means that even if hackers steal the hashes it will take time for them to discover the original passwords; this time can be used to reset everyone's passwords so that the stolen hashes become (mostly) useless.
It's possible that password theft by hackers is not a major concern for your system, but we wanted to provide a secure default for 6.2. If you want to return to the old behaviour, go to the Security Config under the webtop and change the Password hashing algorithm to 'No hashing'. The stored passwords will then revert back to plain passwords as each user logs in successfully, or as their passwords are reset. Secure password hashes are not easily reversible, so no password downgrade tool is available. We performed extensive testing of the password hashing code to make sure changing the algorithm wouldn't lock users out of the system. The login code detects the storage format of the user's password and uses it to do the password check. This is why the stored passwords are only upgraded automatically on successful logins and resets: it's the only time the system knows for sure what the user's actual password is. My best advice for users who keep forgetting their passwords is to tell them to write their passwords down. This idea may sound crazy, but is in fact recommended by a number of security experts: http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html It's important though that written passwords be unique for the system and not reused across multiple systems. Regards, -- Dennis On 27 March 2013 09:26, Might Aswell <[email protected]> wrote: > Hi Blair.. > > Its hard to say what happened . these particular users > "forget" their passwords all the time, so I dump them for an admin person > to easily pull up... the user in this case was trying to use the last known > password, which I confirmed.. it is possible it has changed... Could be an > isolated incident... If this comes up again I'll repost here. > > > On Tuesday, March 26, 2013 1:48:42 PM UTC-7, Blair McK wrote: > >> In 6.2 we have switched to hashing user passwords by default. The prefix >> you mentioned indicates which hashing algorithm was used. FarCry uses that >> prefix to determine whether a user's password is still in plaintext and >> needs to be updated. That check is automatic when a user logs in, but you >> can kick of a full database update as Sean mentions. >> >> When you say the user is unable to login, does that mean they forgot >> their password or something else? As an admin you can reset passwords in >> the webtop. You can also update the database with a plaintext password, and >> FarCry should handle that fine. >> >> Blair >> >> >> On Wed, Mar 27, 2013 at 7:02 AM, Sean Coyne <[email protected]> wrote: >> >>> Strange. I have updated several sites to 6.2.x w/o running the password >>> update utility and have no issues with users being unable to login. >>> Perhaps some one from Daemon can shed some light. >>> >>> >>> On Tuesday, March 26, 2013 3:42:53 PM UTC-4, Might Aswell wrote: >>>> >>>> Hi Sean, >>>> >>>> No.. I dont believe so.. I checked farUser and don't see lastupdated >>>> set to passwordfix... however... Idid just notice that this seems to >>>> happen AUTOMATICALLY when a user logs in??? >>>> >>>> I picked a random user that had an old style password, logged in and >>>> refreshed the farUser table and the pw was changed... >>>> >>>> >>>> On Tuesday, March 26, 2013 12:29:03 PM UTC-7, Sean Coyne wrote: >>>>> >>>>> Did you run the upgrade password security utility? >>>>> >>>>> On Tuesday, March 26, 2013 3:09:12 PM UTC-4, Might Aswell wrote: >>>>>> >>>>>> I have noticed after upgrading to 6-2-7, that some of my farUser's >>>>>> passwords have 'changed' >>>>>> >>>>>> They appear to be some sort of hash value now instead of a plain text >>>>>> password... all of them are prefixed with $2a$10$ >>>>>> >>>>>> I discovered this when a user reported being unable to login to a >>>>>> protected section of the web site using a last known working password. I >>>>>> confirmed the issue and then reset it (to itself) via the web top. >>>>>> >>>>>> Can someone tell me what changed and why, and why only "some" of >>>>>> these users seem to have the new "strange' password in the password >>>>>> column >>>>>> (forgotpasswordhash) is NULL for all these users. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Chris >>>>>> >>>>> -- >>> You received this message cos you are subscribed to "farcry-dev" Google >>> group. >>> To post, email: [email protected] >>> To unsubscribe, email: farcry-dev+...@**googlegroups.com >>> >>> For more options: >>> http://groups.google.com/**group/farcry-dev<http://groups.google.com/group/farcry-dev> >>> ------------------------------**-- >>> Follow us on Twitter: http://twitter.com/farcry >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "farcry-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to farcry-dev+...@**googlegroups.com. >>> >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> . >>> >>> >>> >> >> -- > You received this message cos you are subscribed to "farcry-dev" Google > group. > To post, email: [email protected] > To unsubscribe, email: [email protected] > For more options: http://groups.google.com/group/farcry-dev > -------------------------------- > Follow us on Twitter: http://twitter.com/farcry > --- > You received this message because you are subscribed to the Google Groups > "farcry-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Dennis Clark | Developer | Daemon | +61 2 8999 8872 | http://www.daemon.com.au -- You received this message cos you are subscribed to "farcry-dev" Google group. To post, email: [email protected] To unsubscribe, email: [email protected] For more options: http://groups.google.com/group/farcry-dev -------------------------------- Follow us on Twitter: http://twitter.com/farcry --- You received this message because you are subscribed to the Google Groups "farcry-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
