Sure, have to fix some issues Will try to finish everything until next week-end :) So no rush right now :)
My ideas were: 1) Add Admin function "reset all passwords" (not sure how users should be notified on new password in this case) 2) Add Admin function: "Email all users" general email "Please reset your passwords" will be sent to all users 3) Allow login with old password and require user to change it, possible but seems to be tricky Will wait for the results of your discussion :) On Wed, Jun 14, 2017 at 2:00 PM, Peter Dähn <[email protected]> wrote: > Hi Maxim, > > you are right, this point is left.... > I think I try to discuss this with a colleague of mine. Maybe we get an > idea... > > Back later the or most likely on Friday. I hope this is on time. > > Greetings Peter > > > Am 14.06.2017 um 07:43 schrieb Maxim Solodovnik: > > Thanks a lot Peter, > > Now I'm back and ready to help :) > > Would appreciate to hear any thought regarding "soft" changing of password > hash function > > On Mon, Jun 12, 2017 at 6:40 PM, Peter Dähn <[email protected]> <[email protected]> > wrote: > > > so.. now it is time I think... > > Congratulations! I hope you had a nice wedding and a few relaxing days... > > Greetings Peter > > > Am 24.05.2017 um 12:03 schrieb Peter Dähn: > > > ok.. then good luck... > > and best wishes when you are back... ;-) > > > > Am 24.05.2017 um 11:57 schrieb Maxim Solodovnik: > > > Thanks :) > > I'll be on vacation for the next 2 weeks, with rare access to the email > from my phone, so no rush :) > > On Wed, May 24, 2017 at 4:55 PM, Peter Dähn <[email protected]> <[email protected]> > wrote: > > ok.. need to think about it... ;-) > > I will be back in office next week... maybe with "THE IDEA".. or maybe > not... ;-) > > Greetings Peter > > Am 24.05.2017 um 11:21 schrieb Maxim Solodovnik: > > It is all discussible :) > > 3.0.7 still uses > MD5CryptImplementation<https://github.com/apache/openmeetings/blob/3.0.x/src/util/ > java/org/apache/openmeetings/util/crypt/MD5CryptImplementation.java> > <https://github.com/apache/openmeetings/blob/3.0.x/src/util/java/org/apache/openmeetings/util/crypt/MD5CryptImplementation.java> > which > is not secure at all :((( > We can add back > SHA256Implementation<https://github.com/apache/openmeetings/blob/3.1.x/openmeeti > ngs-util/src/main/java/org/apache/openmeetings/util/ > crypt/SHA256Implementation.java> > <https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-util/src/main/java/org/apache/openmeetings/util/crypt/SHA256Implementation.java> > > ( > available since 3.1.x) for compatibility reasons, but I'm afraid there > is > no clean way to perform backup and preserve passwords ..... > > I thought maybe we can add "Reset All passwords" admin function, but > it is > totally insecure :( > Any ideas are appreciated :) > > On Wed, May 24, 2017 at 4:15 PM, Peter Dähn <[email protected]> <[email protected]> > wrote: > > Hi, > > > I think further investigation is not needed. I just didn't see it > before... > > Is this behavior the final state? Then it will be difficult to > update my > installation (3.0.7). This also should the problem with any > installation > before 3.3.0. Isn't it? > > Greetings Peter > > Am 24.05.2017 um 11:07 schrieb Maxim Solodovnik: > > Hello Peter, > > > these debug messages are OK during import (I can perform further > investigation, but I believe this is not an issue) > > Current 4.0.0 contains backported code from 3.3.0 which has stronger > Password rules ... > You were unable to login after restore from backup since Password > Crypt > was > changed to the SCrypt, which is stronger than SHA512 used before > > > > On Wed, May 24, 2017 at 3:50 PM, Peter Dähn <[email protected]> <[email protected]> > wrote: > > I tried to reset the password. I got following message: > > "Weak' password: at least 1 special symbol '!@#$%^&*][' is required" > > Could this be the Problem? I think this shouldn't be like that, > because > there wasn't such restriction before. > > Greetings Peter > > > > > Am 24.05.2017 um 10:21 schrieb Peter Dähn: > > Hi Maxim, > > I wanted to try out html5 video components... > > While importing my backup (worked before) I got a lot of these > messages > below. > > DEBUG 05-24 10:06:49.592 AuthLevelUtil.java 56867 40 > org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level > Login :: > [GRANTED] > DEBUG 05-24 10:06:49.601 AuthLevelUtil.java 56876 40 > org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level > Login :: > [DENIED] > DEBUG 05-24 10:06:49.609 AuthLevelUtil.java 56884 40 > org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level > Login :: > [DENIED] > DEBUG 05-24 10:06:49.615 AuthLevelUtil.java 56890 40 > org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level > Login :: > [DENIED] > DEBUG 05-24 10:06:49.622 AuthLevelUtil.java 56897 40 > org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level > Login :: > [DENIED] > DEBUG 05-24 10:06:49.629 AuthLevelUtil.java 56904 40 > org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level > Login :: > [DENIED] > DEBUG 05-24 10:06:49.636 AuthLevelUtil.java 56911 40 > org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level > Login :: > [DENIED] > > I never noticed these ones before. After starting the server, I > couldn't > login with my admin user. "Username/email and/or password are > incorrect." > > Any Ideas? > > Greetings Peter > > > > > > > > > > -- > B.Sc. Peter Dähn > Virtueller Campus Rheinland-Pfalz <http://www.vcrp.de/> > Postfach 3049 > 67653 Kaiserslautern > Tel: 0631/205-4944 > Olat <https://olat.vcrp.de/> > -- WBR Maxim aka solomax
