[REL][Addon]Password Encryption for HoloCMS[Addon][REL]

I know you're thinking WTF, another HoloCMS thread. This is an actual release, and it (I hope) is in the right section.

What is it:
This will make your copy of Holograph and HoloCMS use SHA1 (salted) hashed passwords instead of storing the password in plain text, which is the biggest no-no in security.

How it is secure:
I made encryption releases before, and every time people complain and say that it is not secure enough, so I did some research, and this is what I came up with: Password salted with the user id in SHA1. Also people with rainbow tables have a harder time cracking salted passwords because lets say they have the hash to the password Hello123, well they probably wont have Hello123useraccountnamehere. Hope it is secure enough for you.

Features:

• Passwords stored in SHA1
• Salted with userid
• Userid is converted into lowercase, so when user log on, its not case-sensitive (if you look at the code, you'll know what I mean)
• All edited portions of the code is commented so you'll know what to upgrade when meth0d makes a new version.
• The password stored in your session is also encrypted (an added bonus since before, if someone hijacks your session, they can find your password)

Install:
Replace your register.php, login.php, and hk_login.php with this.
Also, if you don't want to recreate your account, the password format is password then userid, no spaces and userid in all lowercase. Go to a site like MD5, MD4 and SHA1 online generator and generate your hash.
This was made with the HoloCMS 1.2.1 source, upgrade when needed. I commented the code so you can upgrade with little hassle.

I know this is not a big release, and its easy to do, but its useful =)
I'd recommand meth0d to add this to the offical source since like I said, unencrypted passwords is a huge securty risk to the user. Many users use the same password for other stuff, so when your database is compromised, so is all the other sites the user goes to's.

UPDATE: Oops, I forgot to include the account.php for when the user updates the password and email. Instead of including the php file, I've included a text file with the added code and directions to applying. Why? Because I modified the account.php for my hotel, and it won't work on other sites.

So, will this like, hide the passwords when they are in sql also?
Good fix though

Yes, like my password is displayed as: 97cfec8d07e579247291d918162f8ad17cd1da5d in the password field, try to crack it ;)

Whats the encryption MD5? SHA1?

Passwords stored in SHA1 =]

nice job.

Of course, the problem with this is that Holograph won't know how to check the passwords.

Quote:

---

Originally Posted by Schfoo

Of course, the problem with this is that Holograph won't know how to check the passwords.

---

All holograph does is check the SSO ticket, the logging in stuff is done by holoCMS.

Oh yeah, I forgot that normal logging in doesn't work anymore xD

Nice job
i like it

Its good, but what about when someone updates their pass? You'll need to have one for the account settings to xD

Just reminding you ;)

Very nice ;o

Nice release, maybe get a mod to Merge it with the HoloCMS REL / DEV thread =]

~ SkillZ

Quote:

---

Originally Posted by wwood28

Its good, but what about when someone updates their pass? You'll need to have one for the account settings to xD

Just reminding you ;)

---

Oops, thanks for reminding me.

Quote:

---

Originally Posted by yifan_lu

Yes, like my password is displayed as: 97cfec8d07e579247291d918162f8ad17cd1da5d in the password field, try to crack it ;)

---

Looks like you've given me a challenge to try and solve tonight! :)
If I get it, I will pm you ;]

Ontopic -
Nice release, this will help ensure that people dont mess with Holo xD

Great release.

Great Release, Since without it all the user would have to do is hax your config.php, login to your SQL Server, and walla theres all the passwords, and maybe upgrade their rank to "7" while their at it, then wonderfully change the SQL Server's password, so it f**cks up their hotel... :P

Thanks,
MatthewRulz!

Nice job!

Very nice! thank you :)!

Oops, one more thing I forgot. What if someone forgets their password? Does it work then? I'm not sure, but I don't think it does...

Quote:

---

Originally Posted by wwood28

Oops, one more thing I forgot. What if someone forgets their password? Does it work then? I'm not sure, but I don't think it does...

---

Yea, Im making a password reset system rite now. It will generate a random password like 1d94k3id0 and emails it to the user and they can then change it. (Also, coding for the latest SVN)

Ok, I took a look at the new SVN code and it looks about the same, so you can still use the current password encryption files. About the forgotten password, I made this code, but someone else is going to have to test it for me, as I don't have a mail server set up. (Goes in forgot.php)
[PHP]<?php
/*---------------------------------------------------+
| HoloCMS - Website and Content Management System
+----------------------------------------------------+
| Copyright

Instead of a mail server just send it in a site alert to the user.

Quote:

---

Originally Posted by Schfoo

Instead of a mail server just send it in a site alert to the user.

---

I know that noone would try this hard to hack retros, but since I'm making it this hard already. what if some "hacker" finds out a user id and their email? (like from their myspace or something?) then they just lost their account.

Then send it to the console. All you do is insert it into the tables, that way they couldn't hack them unless they knew the password.

Btw, how would they find the users id anyway? xD

Does this work? Because id like ot add it to my packs if it does, or if your going to configure it into something else let me know please :)