CE uses authlogic to handle authentication. The user's password is not stored in plain text; it's concatenated with a salt (a random string) and then encrypted. So even if someone were able to access the password stored in the database, they'd have to find a way to decrypt it (not an easy thing to do). I'd recommend reading:
http://www.binarylogic.com/2008/11/22/storing-nuclear-launch-codes-in-your-app-enter-bcrypt-for-authlogic/ Passwords, by default, are encrypted using the Digest::SHA1 algorith (admittedly not the *safest* encryption out there, but still reasonably good). Of course, its easy to override the encryption provider with one of your choosing (see: http://railsapi.com/doc/authlogic-v2.1.3/classes/Authlogic/CryptoProviders). You'd just need to override the CommunityEngineSha1CryptoMethod class. Thanks, Bruno On Tue, Apr 13, 2010 at 8:18 AM, Bill <[email protected]> wrote: > Can someone give me a brief overview of how passwords and login are > made secure in CE? I see salts and hashing may be involved, as well > as the authlogic plugin, but I haven't been able to find clear > documentation on details. > > We've have had a little concern from users about password security -- > mostly just that the password they use to log in could be stolen and > used for other sites if it is one of their common passwords. We're > not using SSL as our site's data isn't anything very important > (financial data, etc.), and it seems there would be extra cost and > effort in setting up SSL. > > -- > You received this message because you are subscribed to the Google Groups > "CommunityEngine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<communityengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/communityengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "CommunityEngine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/communityengine?hl=en.
