Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Config of encrypted passwords  (Read 4311 times)

0 Members and 1 Guest are viewing this topic.

casNuy

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 671
  • My other hobby
    • Nuy Community
Config of encrypted passwords
« on: August 08, 2005, 11:17:00 pm »

Scanned the forum but did not find any clues so.............
When configuring Coppermine, i see no option to disable/enable password encryption. This is also not asked when installing/updating Coppermine.
Can both be added to the final release ?

Cas
« Last Edit: September 06, 2005, 01:34:54 pm by GauGau »
Logged

Nibbler

  • Guest
Re: Config of encrypted passwords
« Reply #1 on: August 08, 2005, 11:24:32 pm »

There's an option in config to enable md5 passwords on upgraded galleries, new installs use md5 passwords by default.
Logged

casNuy

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 671
  • My other hobby
    • Nuy Community
Re: Config of encrypted passwords
« Reply #2 on: August 08, 2005, 11:58:34 pm »

Thanks, nevertheless will the option become available on new installs plus an option within the config ?

Cas
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: Config of encrypted passwords
« Reply #3 on: August 09, 2005, 05:01:57 am »

No, the default schema on a new installs enables MD5 passwords from the get go.

The option to switch to MD5 on a gallery upgrade is a roach motel.  It will be shown on an install thats currently unencrypted, when they select yes. The db gets updated, and there's no road backwards, so the option to unset "enable encrypted passwords" is no longer shown.

There had been a discussion amongst the devs of should we force md5 encryption on upgrade. That idea was discarded because it might affect bridging or custom code.  Most of the devs felt that leaving the default as unencrypted passwords unnecessarily left Coppermine's security weaker than it should be at no real benifit to most Coppermine users so we agreed to only force it on new installs.
Logged

casNuy

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 671
  • My other hobby
    • Nuy Community
Re: Config of encrypted passwords
« Reply #4 on: August 11, 2005, 11:49:38 pm »

The config setting will stay or will this also be removed in the future ?
pnCPG functions nicely with unencrypted passwords so for my module, i would like the people to have that set to 0.
Would save me a lot of work and ould enable me to deliver an integration moduler without changing core php code.

Cas
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: Config of encrypted passwords
« Reply #5 on: August 12, 2005, 04:07:23 am »

For un-upgraded galleries I don't see the option going away. However new installs will cause you problems.

I would suggest the best long term plan is to develop a bridge to be used for pnCPG (it could be just as easy as making it a copy of the coppermine bridge, and forcing the password to always be unencrypted.)
Logged
Pages: [1]   Go Up
 

Page created in 0.023 seconds with 19 queries.