Right, well that's now: http://blog.farcrycore.org/blog/2013/03/30/default-password-encoding-for-farcry-users/
Enjoy :) On 30 March 2013 23:12, Geoff Bowers <[email protected]> wrote: > Going to try and capture interesting tidbits from the forum in our > blog. Starting with this thread... > > http://farcrycore.github.com/blog/2013/03/30/default-password-encoding-for-farcry-users/ > > Thanks, > > GB > > On 27 March 2013 11:14, Dennis Clark <[email protected]> wrote: >> Some background information... >> >> We changed the default password encoding in 6.2 because storing passwords in >> plain text creates an opportunity for unauthorised hackers to get the >> passwords of every user on the system. The frequency of incidents of hackers >> stealing stored passwords of online systems have been increasing over the >> years. Storing passwords as secure hashes means that even if hackers steal >> the hashes it will take time for them to discover the original passwords; >> this time can be used to reset everyone's passwords so that the stolen >> hashes become (mostly) useless. >> >> It's possible that password theft by hackers is not a major concern for your >> system, but we wanted to provide a secure default for 6.2. If you want to >> return to the old behaviour, go to the Security Config under the webtop and >> change the Password hashing algorithm to 'No hashing'. The stored passwords >> will then revert back to plain passwords as each user logs in successfully, >> or as their passwords are reset. Secure password hashes are not easily >> reversible, so no password downgrade tool is available. >> >> We performed extensive testing of the password hashing code to make sure >> changing the algorithm wouldn't lock users out of the system. The login code >> detects the storage format of the user's password and uses it to do the >> password check. This is why the stored passwords are only upgraded >> automatically on successful logins and resets: it's the only time the system >> knows for sure what the user's actual password is. >> >> My best advice for users who keep forgetting their passwords is to tell them >> to write their passwords down. This idea may sound crazy, but is in fact >> recommended by a number of security experts: >> http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html >> It's important though that written passwords be unique for the system and >> not reused across multiple systems. >> >> Regards, >> >> -- Dennis >> >> >> On 27 March 2013 09:26, Might Aswell <[email protected]> wrote: >>> >>> Hi Blair.. >>> >>> Its hard to say what happened . these particular users "forget" their >>> passwords all the time, so I dump them for an admin person to easily pull >>> up... the user in this case was trying to use the last known password, which >>> I confirmed.. it is possible it has changed... Could be an isolated >>> incident... If this comes up again I'll repost here. >>> >>> >>> On Tuesday, March 26, 2013 1:48:42 PM UTC-7, Blair McK wrote: >>>> >>>> In 6.2 we have switched to hashing user passwords by default. The prefix >>>> you mentioned indicates which hashing algorithm was used. FarCry uses that >>>> prefix to determine whether a user's password is still in plaintext and >>>> needs to be updated. That check is automatic when a user logs in, but you >>>> can kick of a full database update as Sean mentions. >>>> >>>> When you say the user is unable to login, does that mean they forgot >>>> their password or something else? As an admin you can reset passwords in >>>> the >>>> webtop. You can also update the database with a plaintext password, and >>>> FarCry should handle that fine. >>>> >>>> Blair >>>> >>>> >>>> On Wed, Mar 27, 2013 at 7:02 AM, Sean Coyne <[email protected]> wrote: >>>>> >>>>> Strange. I have updated several sites to 6.2.x w/o running the password >>>>> update utility and have no issues with users being unable to login. >>>>> Perhaps >>>>> some one from Daemon can shed some light. >>>>> >>>>> >>>>> On Tuesday, March 26, 2013 3:42:53 PM UTC-4, Might Aswell wrote: >>>>>> >>>>>> Hi Sean, >>>>>> >>>>>> No.. I dont believe so.. I checked farUser and don't see lastupdated >>>>>> set to passwordfix... however... Idid just notice that this seems to >>>>>> happen >>>>>> AUTOMATICALLY when a user logs in??? >>>>>> >>>>>> I picked a random user that had an old style password, logged in and >>>>>> refreshed the farUser table and the pw was changed... >>>>>> >>>>>> >>>>>> On Tuesday, March 26, 2013 12:29:03 PM UTC-7, Sean Coyne wrote: >>>>>>> >>>>>>> Did you run the upgrade password security utility? >>>>>>> >>>>>>> On Tuesday, March 26, 2013 3:09:12 PM UTC-4, Might Aswell wrote: >>>>>>>> >>>>>>>> I have noticed after upgrading to 6-2-7, that some of my farUser's >>>>>>>> passwords have 'changed' >>>>>>>> >>>>>>>> They appear to be some sort of hash value now instead of a plain text >>>>>>>> password... all of them are prefixed with $2a$10$ >>>>>>>> >>>>>>>> I discovered this when a user reported being unable to login to a >>>>>>>> protected section of the web site using a last known working password. >>>>>>>> I >>>>>>>> confirmed the issue and then reset it (to itself) via the web top. >>>>>>>> >>>>>>>> Can someone tell me what changed and why, and why only "some" of >>>>>>>> these users seem to have the new "strange' password in the password >>>>>>>> column >>>>>>>> (forgotpasswordhash) is NULL for all these users. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Chris >>>>> >>>>> -- >>>>> You received this message cos you are subscribed to "farcry-dev" Google >>>>> group. >>>>> To post, email: [email protected] >>>>> To unsubscribe, email: [email protected] >>>>> >>>>> For more options: http://groups.google.com/group/farcry-dev >>>>> -------------------------------- >>>>> Follow us on Twitter: http://twitter.com/farcry >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "farcry-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> >>>> >>>> >>> -- >>> You received this message cos you are subscribed to "farcry-dev" Google >>> group. >>> To post, email: [email protected] >>> To unsubscribe, email: [email protected] >>> For more options: http://groups.google.com/group/farcry-dev >>> -------------------------------- >>> Follow us on Twitter: http://twitter.com/farcry >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "farcry-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >> >> >> >> >> -- >> Dennis Clark | Developer | Daemon | +61 2 8999 8872 | >> http://www.daemon.com.au >> >> -- >> You received this message cos you are subscribed to "farcry-dev" Google >> group. >> To post, email: [email protected] >> To unsubscribe, email: [email protected] >> For more options: http://groups.google.com/group/farcry-dev >> -------------------------------- >> Follow us on Twitter: http://twitter.com/farcry >> --- >> You received this message because you are subscribed to the Google Groups >> "farcry-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- You received this message cos you are subscribed to "farcry-dev" Google group. To post, email: [email protected] To unsubscribe, email: [email protected] For more options: http://groups.google.com/group/farcry-dev -------------------------------- Follow us on Twitter: http://twitter.com/farcry --- You received this message because you are subscribed to the Google Groups "farcry-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
