Going to try and capture interesting tidbits from the forum in our blog. Starting with this thread... http://farcrycore.github.com/blog/2013/03/30/default-password-encoding-for-farcry-users/
Thanks, GB On 27 March 2013 11:14, Dennis Clark <[email protected]> wrote: > Some background information... > > We changed the default password encoding in 6.2 because storing passwords in > plain text creates an opportunity for unauthorised hackers to get the > passwords of every user on the system. The frequency of incidents of hackers > stealing stored passwords of online systems have been increasing over the > years. Storing passwords as secure hashes means that even if hackers steal > the hashes it will take time for them to discover the original passwords; > this time can be used to reset everyone's passwords so that the stolen > hashes become (mostly) useless. > > It's possible that password theft by hackers is not a major concern for your > system, but we wanted to provide a secure default for 6.2. If you want to > return to the old behaviour, go to the Security Config under the webtop and > change the Password hashing algorithm to 'No hashing'. The stored passwords > will then revert back to plain passwords as each user logs in successfully, > or as their passwords are reset. Secure password hashes are not easily > reversible, so no password downgrade tool is available. > > We performed extensive testing of the password hashing code to make sure > changing the algorithm wouldn't lock users out of the system. The login code > detects the storage format of the user's password and uses it to do the > password check. This is why the stored passwords are only upgraded > automatically on successful logins and resets: it's the only time the system > knows for sure what the user's actual password is. > > My best advice for users who keep forgetting their passwords is to tell them > to write their passwords down. This idea may sound crazy, but is in fact > recommended by a number of security experts: > http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html > It's important though that written passwords be unique for the system and > not reused across multiple systems. > > Regards, > > -- Dennis > > > On 27 March 2013 09:26, Might Aswell <[email protected]> wrote: >> >> Hi Blair.. >> >> Its hard to say what happened . these particular users "forget" their >> passwords all the time, so I dump them for an admin person to easily pull >> up... the user in this case was trying to use the last known password, which >> I confirmed.. it is possible it has changed... Could be an isolated >> incident... If this comes up again I'll repost here. >> >> >> On Tuesday, March 26, 2013 1:48:42 PM UTC-7, Blair McK wrote: >>> >>> In 6.2 we have switched to hashing user passwords by default. The prefix >>> you mentioned indicates which hashing algorithm was used. FarCry uses that >>> prefix to determine whether a user's password is still in plaintext and >>> needs to be updated. That check is automatic when a user logs in, but you >>> can kick of a full database update as Sean mentions. >>> >>> When you say the user is unable to login, does that mean they forgot >>> their password or something else? As an admin you can reset passwords in the >>> webtop. You can also update the database with a plaintext password, and >>> FarCry should handle that fine. >>> >>> Blair >>> >>> >>> On Wed, Mar 27, 2013 at 7:02 AM, Sean Coyne <[email protected]> wrote: >>>> >>>> Strange. I have updated several sites to 6.2.x w/o running the password >>>> update utility and have no issues with users being unable to login. >>>> Perhaps >>>> some one from Daemon can shed some light. >>>> >>>> >>>> On Tuesday, March 26, 2013 3:42:53 PM UTC-4, Might Aswell wrote: >>>>> >>>>> Hi Sean, >>>>> >>>>> No.. I dont believe so.. I checked farUser and don't see lastupdated >>>>> set to passwordfix... however... Idid just notice that this seems to >>>>> happen >>>>> AUTOMATICALLY when a user logs in??? >>>>> >>>>> I picked a random user that had an old style password, logged in and >>>>> refreshed the farUser table and the pw was changed... >>>>> >>>>> >>>>> On Tuesday, March 26, 2013 12:29:03 PM UTC-7, Sean Coyne wrote: >>>>>> >>>>>> Did you run the upgrade password security utility? >>>>>> >>>>>> On Tuesday, March 26, 2013 3:09:12 PM UTC-4, Might Aswell wrote: >>>>>>> >>>>>>> I have noticed after upgrading to 6-2-7, that some of my farUser's >>>>>>> passwords have 'changed' >>>>>>> >>>>>>> They appear to be some sort of hash value now instead of a plain text >>>>>>> password... all of them are prefixed with $2a$10$ >>>>>>> >>>>>>> I discovered this when a user reported being unable to login to a >>>>>>> protected section of the web site using a last known working password. I >>>>>>> confirmed the issue and then reset it (to itself) via the web top. >>>>>>> >>>>>>> Can someone tell me what changed and why, and why only "some" of >>>>>>> these users seem to have the new "strange' password in the password >>>>>>> column >>>>>>> (forgotpasswordhash) is NULL for all these users. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Chris >>>> >>>> -- >>>> You received this message cos you are subscribed to "farcry-dev" Google >>>> group. >>>> To post, email: [email protected] >>>> To unsubscribe, email: [email protected] >>>> >>>> For more options: http://groups.google.com/group/farcry-dev >>>> -------------------------------- >>>> Follow us on Twitter: http://twitter.com/farcry >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "farcry-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> >>> >>> >> -- >> You received this message cos you are subscribed to "farcry-dev" Google >> group. >> To post, email: [email protected] >> To unsubscribe, email: [email protected] >> For more options: http://groups.google.com/group/farcry-dev >> -------------------------------- >> Follow us on Twitter: http://twitter.com/farcry >> --- >> You received this message because you are subscribed to the Google Groups >> "farcry-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > > > > -- > Dennis Clark | Developer | Daemon | +61 2 8999 8872 | > http://www.daemon.com.au > > -- > You received this message cos you are subscribed to "farcry-dev" Google > group. > To post, email: [email protected] > To unsubscribe, email: [email protected] > For more options: http://groups.google.com/group/farcry-dev > -------------------------------- > Follow us on Twitter: http://twitter.com/farcry > --- > You received this message because you are subscribed to the Google Groups > "farcry-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message cos you are subscribed to "farcry-dev" Google group. To post, email: [email protected] To unsubscribe, email: [email protected] For more options: http://groups.google.com/group/farcry-dev -------------------------------- Follow us on Twitter: http://twitter.com/farcry --- You received this message because you are subscribed to the Google Groups "farcry-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
