[opencms-dev] Getting User Password without logging in
Thomas Kiesl
thomas.kiesl at bluemars.net
Thu Oct 19 15:36:06 CEST 2006
Hallo Joachim,
you are right, the missing encryption or two way encryption for the
password is not save.
For the webuser I don't see any Problems, but all people you has direct
sql access to the database may get all passwords...
Best regards
Thomas
Joachim Arrasz wrote:
> Hi,
>
>> You have to change the opencms authentication method.
>> A quick solution is to store the password unencrypted in the database.
>> To do this, change the passwordhandler in opencms-system.xml setting
>> <digest-type>plain</digest-type>
>>
>> A better solution is to use a reversable (two-way) encryption
>> algorithm. To do this, create a class that implements
>> I_CmsPasswordHandler and put it in <passwordhandler> in
>> opencms-system.xml.
>
> what kind of security is this then? In my Opinion both solutions are no
> practical solutions. Two way encryptions are not save!
>
> Kind Regards
>
> Achim
>
--
Mit freundlichen Grüßen
Thomas Kiesl
--
BLUE MARS - Gesellschaft fuer digitale Kommunikation mbH
Thomas Kiesl mailto:thomas.kiesl at bluemars.net
Software Developer http://www.bluemars.net
Ebersheimstraße 5 T +49.69.469973-0
60320 Frankfurt am Main F +49.69.469973-99
More information about the opencms-dev
mailing list