It is all discussible :) 3.0.7 still uses MD5CryptImplementation <https://github.com/apache/openmeetings/blob/3.0.x/src/util/java/org/apache/openmeetings/util/crypt/MD5CryptImplementation.java> which is not secure at all :((( We can add back SHA256Implementation <https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-util/src/main/java/org/apache/openmeetings/util/crypt/SHA256Implementation.java> ( available since 3.1.x) for compatibility reasons, but I'm afraid there is no clean way to perform backup and preserve passwords .....
I thought maybe we can add "Reset All passwords" admin function, but it is totally insecure :( Any ideas are appreciated :) On Wed, May 24, 2017 at 4:15 PM, Peter Dähn <[email protected]> wrote: > Hi, > > I think further investigation is not needed. I just didn't see it before... > > Is this behavior the final state? Then it will be difficult to update my > installation (3.0.7). This also should the problem with any installation > before 3.3.0. Isn't it? > > Greetings Peter > > Am 24.05.2017 um 11:07 schrieb Maxim Solodovnik: > >> Hello Peter, >> >> these debug messages are OK during import (I can perform further >> investigation, but I believe this is not an issue) >> >> Current 4.0.0 contains backported code from 3.3.0 which has stronger >> Password rules ... >> You were unable to login after restore from backup since Password Crypt >> was >> changed to the SCrypt, which is stronger than SHA512 used before >> >> >> >> On Wed, May 24, 2017 at 3:50 PM, Peter Dähn <[email protected]> wrote: >> >> I tried to reset the password. I got following message: >>> >>> "Weak' password: at least 1 special symbol '!@#$%^&*][' is required" >>> >>> Could this be the Problem? I think this shouldn't be like that, because >>> there wasn't such restriction before. >>> >>> Greetings Peter >>> >>> >>> >>> >>> Am 24.05.2017 um 10:21 schrieb Peter Dähn: >>> >>> Hi Maxim, >>>> >>>> I wanted to try out html5 video components... >>>> >>>> While importing my backup (worked before) I got a lot of these messages >>>> below. >>>> >>>> DEBUG 05-24 10:06:49.592 AuthLevelUtil.java 56867 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level Login :: >>>> [GRANTED] >>>> DEBUG 05-24 10:06:49.601 AuthLevelUtil.java 56876 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.609 AuthLevelUtil.java 56884 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.615 AuthLevelUtil.java 56890 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.622 AuthLevelUtil.java 56897 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.629 AuthLevelUtil.java 56904 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.636 AuthLevelUtil.java 56911 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level Login :: >>>> [DENIED] >>>> >>>> I never noticed these ones before. After starting the server, I couldn't >>>> login with my admin user. "Username/email and/or password are >>>> incorrect." >>>> >>>> Any Ideas? >>>> >>>> Greetings Peter >>>> >>>> >>>> >>>> >>>> >> -- WBR Maxim aka solomax
