Thanks All! On Saturday, March 30, 2013 5:46:43 AM UTC-7, Geoff Bowers wrote: > > Right, well that's now: > > http://blog.farcrycore.org/blog/2013/03/30/default-password-encoding-for-farcry-users/ > > > Enjoy :) > > On 30 March 2013 23:12, Geoff Bowers <[email protected] <javascript:>> > wrote: > > Going to try and capture interesting tidbits from the forum in our > > blog. Starting with this thread... > > > http://farcrycore.github.com/blog/2013/03/30/default-password-encoding-for-farcry-users/ > > > > > Thanks, > > > > GB > > > > On 27 March 2013 11:14, Dennis Clark <[email protected] <javascript:>> > wrote: > >> Some background information... > >> > >> We changed the default password encoding in 6.2 because storing > passwords in > >> plain text creates an opportunity for unauthorised hackers to get the > >> passwords of every user on the system. The frequency of incidents of > hackers > >> stealing stored passwords of online systems have been increasing over > the > >> years. Storing passwords as secure hashes means that even if hackers > steal > >> the hashes it will take time for them to discover the original > passwords; > >> this time can be used to reset everyone's passwords so that the stolen > >> hashes become (mostly) useless. > >> > >> It's possible that password theft by hackers is not a major concern for > your > >> system, but we wanted to provide a secure default for 6.2. If you want > to > >> return to the old behaviour, go to the Security Config under the webtop > and > >> change the Password hashing algorithm to 'No hashing'. The stored > passwords > >> will then revert back to plain passwords as each user logs in > successfully, > >> or as their passwords are reset. Secure password hashes are not easily > >> reversible, so no password downgrade tool is available. > >> > >> We performed extensive testing of the password hashing code to make > sure > >> changing the algorithm wouldn't lock users out of the system. The login > code > >> detects the storage format of the user's password and uses it to do the > >> password check. This is why the stored passwords are only upgraded > >> automatically on successful logins and resets: it's the only time the > system > >> knows for sure what the user's actual password is. > >> > >> My best advice for users who keep forgetting their passwords is to tell > them > >> to write their passwords down. This idea may sound crazy, but is in > fact > >> recommended by a number of security experts: > >> > http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html > > >> It's important though that written passwords be unique for the system > and > >> not reused across multiple systems. > >> > >> Regards, > >> > >> -- Dennis > >> > >> > >> On 27 March 2013 09:26, Might Aswell <[email protected] <javascript:>> > wrote: > >>> > >>> Hi Blair.. > >>> > >>> Its hard to say what happened . these particular users "forget" their > >>> passwords all the time, so I dump them for an admin person to easily > pull > >>> up... the user in this case was trying to use the last known password, > which > >>> I confirmed.. it is possible it has changed... Could be an isolated > >>> incident... If this comes up again I'll repost here. > >>> > >>> > >>> On Tuesday, March 26, 2013 1:48:42 PM UTC-7, Blair McK wrote: > >>>> > >>>> In 6.2 we have switched to hashing user passwords by default. The > prefix > >>>> you mentioned indicates which hashing algorithm was used. FarCry uses > that > >>>> prefix to determine whether a user's password is still in plaintext > and > >>>> needs to be updated. That check is automatic when a user logs in, but > you > >>>> can kick of a full database update as Sean mentions. > >>>> > >>>> When you say the user is unable to login, does that mean they forgot > >>>> their password or something else? As an admin you can reset passwords > in the > >>>> webtop. You can also update the database with a plaintext password, > and > >>>> FarCry should handle that fine. > >>>> > >>>> Blair > >>>> > >>>> > >>>> On Wed, Mar 27, 2013 at 7:02 AM, Sean Coyne <[email protected]> > wrote: > >>>>> > >>>>> Strange. I have updated several sites to 6.2.x w/o running the > password > >>>>> update utility and have no issues with users being unable to login. > Perhaps > >>>>> some one from Daemon can shed some light. > >>>>> > >>>>> > >>>>> On Tuesday, March 26, 2013 3:42:53 PM UTC-4, Might Aswell wrote: > >>>>>> > >>>>>> Hi Sean, > >>>>>> > >>>>>> No.. I dont believe so.. I checked farUser and don't see > lastupdated > >>>>>> set to passwordfix... however... Idid just notice that this seems > to happen > >>>>>> AUTOMATICALLY when a user logs in??? > >>>>>> > >>>>>> I picked a random user that had an old style password, logged in > and > >>>>>> refreshed the farUser table and the pw was changed... > >>>>>> > >>>>>> > >>>>>> On Tuesday, March 26, 2013 12:29:03 PM UTC-7, Sean Coyne wrote: > >>>>>>> > >>>>>>> Did you run the upgrade password security utility? > >>>>>>> > >>>>>>> On Tuesday, March 26, 2013 3:09:12 PM UTC-4, Might Aswell wrote: > >>>>>>>> > >>>>>>>> I have noticed after upgrading to 6-2-7, that some of my > farUser's > >>>>>>>> passwords have 'changed' > >>>>>>>> > >>>>>>>> They appear to be some sort of hash value now instead of a plain > text > >>>>>>>> password... all of them are prefixed with $2a$10$ > >>>>>>>> > >>>>>>>> I discovered this when a user reported being unable to login to a > >>>>>>>> protected section of the web site using a last known working > password. I > >>>>>>>> confirmed the issue and then reset it (to itself) via the web > top. > >>>>>>>> > >>>>>>>> Can someone tell me what changed and why, and why only "some" of > >>>>>>>> these users seem to have the new "strange' password in the > password column > >>>>>>>> (forgotpasswordhash) is NULL for all these users. > >>>>>>>> > >>>>>>>> Thanks, > >>>>>>>> > >>>>>>>> Chris > >>>>> > >>>>> -- > >>>>> You received this message cos you are subscribed to "farcry-dev" > Google > >>>>> group. > >>>>> To post, email: [email protected] > >>>>> To unsubscribe, email: [email protected] > >>>>> > >>>>> For more options: http://groups.google.com/group/farcry-dev > >>>>> -------------------------------- > >>>>> Follow us on Twitter: http://twitter.com/farcry > >>>>> --- > >>>>> You received this message because you are subscribed to the Google > >>>>> Groups "farcry-dev" group. > >>>>> To unsubscribe from this group and stop receiving emails from it, > send > >>>>> an email to [email protected]. > >>>>> > >>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>>> > >>>>> > >>>> > >>>> > >>> -- > >>> You received this message cos you are subscribed to "farcry-dev" > Google > >>> group. > >>> To post, email: [email protected] <javascript:> > >>> To unsubscribe, email: [email protected] <javascript:> > >>> For more options: http://groups.google.com/group/farcry-dev > >>> -------------------------------- > >>> Follow us on Twitter: http://twitter.com/farcry > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "farcry-dev" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to [email protected] <javascript:>. > >>> For more options, visit https://groups.google.com/groups/opt_out. > >>> > >>> > >> > >> > >> > >> > >> -- > >> Dennis Clark | Developer | Daemon | +61 2 8999 8872 | > >> http://www.daemon.com.au > >> > >> -- > >> You received this message cos you are subscribed to "farcry-dev" Google > >> group. > >> To post, email: [email protected] <javascript:> > >> To unsubscribe, email: [email protected] <javascript:> > >> For more options: http://groups.google.com/group/farcry-dev > >> -------------------------------- > >> Follow us on Twitter: http://twitter.com/farcry > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "farcry-dev" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> >
-- You received this message cos you are subscribed to "farcry-dev" Google group. To post, email: [email protected] To unsubscribe, email: [email protected] For more options: http://groups.google.com/group/farcry-dev -------------------------------- Follow us on Twitter: http://twitter.com/farcry --- You received this message because you are subscribed to the Google Groups "farcry-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
