I use MD5 hashing on all systems which is needed to be compatible with other system tools that share the password information. Not sure how this change would effect me.
I still have a number of sites with older than 3.4.11 due to being unable to upgrade them (nested div's in wide use for example) None of my systems are using anything newer than 3.4.11. A brief try at 3.4.12 broke a lot of stuff and I've had no time for several months now due to work and health issues to play to figure how get past that. On Tue, Jul 6, 2010 at 7:12 AM, The Editor <[email protected]> wrote: > After examining an issue brought up on the list, I've come to the > conclusion it would be best to tighten up BoltWire's login system a > bit. > > There is a security vulnerability based on BoltWire's ability to store > passwords as either plaintext or encrypted. There is no easy way to > exploit it at this point, because of other safeguards in place, but > our best bet is to have each level as secure as possible. Fortunately, > the fix is easy, and elegant. > > But it could affect some sites. Specifically if you have some members > with encrypted passwords and some without, one group or the other will > be excluded. And there's no easy way to solve this other than to > upgrade all passwords to one or the other format... Could be a > challenging problem... > > Anyway, I'm just curious how many people this might affect? It should > only affect you if you have at some point used the loginfmt = > plaintext option in your register form, and then, only for some of > your login accounts, not all... > > The other thing I'm wondering, is if we shouldn't change how the > encryption key is set. Right now, it's a value defined in site.config, > but that almost invites people to change it, when it should never be > changed once a site is rolling. A better solution might be to set it > as a value in index.php, and tell people never to touch it only once > at their initial installation. > > Another option is not make this change until we get to 4.xx. I think > I'm pretty much done with 3.xx, so we could build this into the change > for 4.xx. It is the right fix, but it could be a massive problem for a > small number of users. Hopefully none... Feedback on how to proceed > is appreciated... > > Cheers, > Dan > > -- > You received this message because you are subscribed to the Google Groups > "BoltWire" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<boltwire%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/boltwire?hl=en. > > -- You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/boltwire?hl=en.
