Passwords
Passwords
12/06/03 (Edited 03/10/14)
By default no passwords are stored in the database in their original form. All passwords are recorded in the database as hashes. This way if a hacker gains access to your database the passwords themselves would not be of much use to them -- protecting your users who may unwisely use the same password on your site that they use for their bank.
The hashing method can be configured at Admin Panel -> Members -> Member Settings -> "Password encoding method". The default on a new WSN installation is double MD5 with salt -- the salting makes it extremely hard for criminals to reverse the hash. Upgrades from older WSN versions may still be using plain MD5, which used to be the default.
The other option is "no encoding" which means plain text. While storing passwords in plain text is a poor security practice, it does have the advantage of making it possible to lookup or retrieve a password instead of having to reset it to a new one. If you set password encoding to plain text, members who fill out the lost password form will get their existing password emailed to them. WIth any other selection, they instead get a new randomly generated password emailed to them. Once they use the new password to login they can edit their profile to change it to something more memorable.
When you change the password encoding setting, current members are not immediately affected -- their passwords remain in their current encoding so that they can continue logging in as usual without having to do a password reset. However, the next time they do reset their password the encoding for their account will automatically change to the new selection.
12/06/03 (Edited 03/10/14)
The hashing method can be configured at Admin Panel -> Members -> Member Settings -> "Password encoding method". The default on a new WSN installation is double MD5 with salt -- the salting makes it extremely hard for criminals to reverse the hash. Upgrades from older WSN versions may still be using plain MD5, which used to be the default.
The other option is "no encoding" which means plain text. While storing passwords in plain text is a poor security practice, it does have the advantage of making it possible to lookup or retrieve a password instead of having to reset it to a new one. If you set password encoding to plain text, members who fill out the lost password form will get their existing password emailed to them. WIth any other selection, they instead get a new randomly generated password emailed to them. Once they use the new password to login they can edit their profile to change it to something more memorable.
When you change the password encoding setting, current members are not immediately affected -- their passwords remain in their current encoding so that they can continue logging in as usual without having to do a password reset. However, the next time they do reset their password the encoding for their account will automatically change to the new selection.
Description | Passwords, the email password function, and how to email the user's existing password. |
Rating | |
Views | 1422 views. Averaging 0 views per day. |