Password_Security
Note: This is a work in progress, and is subject to change until 0.8 is released. Please do not rely on this information!
E107 2.0 incorporates a number of additional security options related to passwords. The selection of the appropriate options requires careful thought, since in some cases there is no going back! Some additional information is given in the 'Background' section, and more detail can be found by searching the web.
All the options are set via the 'Security and Protection' section of site Preferences.
If enabled, users can specify either their login name or their email address when logging in. (If this option is disabled, it doesn't preclude users giving their email address as a login name).
Must be set to 'sessions' if using CHAP.
Otherwise its usually most convenient to set 'cookies', so that the 'remember me' feature is available.
To date E107 has used md5 encoding for passwords, and this will continue to be sufficient for some sites.
Select 'salted' passwords to make it harder for them to be cracked if someone gains access to the user database.
For existing installations, note that changing this selection only affects new users, and those changing their passwords. There is a separate utility to convert all md5 passwords in the database to the salted format (see later).
By default, passwords are sent between the user's browser and the server in plain text. CHAP (short for: Challenge Handshake Authentication Protocol) 'encrypts' the password in a secure way before transmission; however it requires that Javascript is enabled in the user's browser. Hence it is usual to allow the plain text fallback. CHAP can be mandatory if required. CHAP requires that user tracking uses sessions. In general CHAP cannot be used with the alt_auth plugin.
Historically E107 has encoded user passwords in the database using the md5 'one way hash' - a mathematical operation which encodes the password into a numerical value, in such a way that there is no mathematical way to go from the 'hashed' password back to the original. A 'brute force' approach has always been possible; and advances in computing power and mathematical understanding have made it more possible to pre-calculate tables of hash values, so that a hashed password can simply be looked up in the table. This represents a one-time block of calculations, which can be used to 'crack' passwords time and time again.
While the simple hash is sufficient for many sites, it can cause problems for users if their password is cracked - they may use the same password on several sites, or the hashed password may have been obtained from a database backup, and thus knowing it can give the cracker access to the actual site.
E107 now supports 'salted passwords'. In these a more complex calculation is used. This mixes in a 'salt' - a text string, different for every user. This 'salt' can be public (and has to be for E107 to verify the user), and makes life much more difficult for the password cracker. Instead of using a single set of precalculated hash tables, the cracker has to calculate those tables for every individual password to take account of the salt. This represents a very substantial increase in effort for the cracker.
As with all things, increased security comes at a price - actions such as changing a user's login name or email address may require the user to confirm with their password. E107 minimizes the additional complexity, but it is worth carefully considering the level of security required before enabling some of the options.
When a user logs into a web site (other than those using SSL - https:// URLs), the user name and password are transmitted 'in clear' to the web site. So potentially anyone monitoring the network can pick up that information. E107 now offers the option of 'CHAP' - a method of only sending an encrypted password over the network. This encryption (actually a hash function) includes a 'challenge' - a random number generated by the server - which makes it harder for a hacker to simply replay some network traffic to log into the site.
The CHAP feature makes use of Javascript in the user's browser. If this is not available, E107 can implement a 'plain text' fallback. This fallback is admin-selectable (admin-->prefs-->Security and protection). If CHAP is mandatory, only users with JS enabled can log in (others see a message instead of the login box); otherwise the plain text fallback can be used. It is also possible to use only plain text passwords.
CHAP also requires that sessions (rather than cookies) are used for user tracking.
If the main admin loses their password, it is possible to overwrite it in the database using PHPMyAdmin or similar, and this procedure is documented elsewhere. The procedure will continue to work if the site is set to use md5 passwords, or salted with md5 fallback.
If the site accepts only salted passwords, the basic procedure is the same, but it is more complicated to calculate the encrypted password value to write to the database. To do so, point your browser to yoursite/e107_files/utilities/passcalc.php, and enter the requested information to obtain the password value. Then copy this value into your database entry.
For existing sites which have changed from md5 to salted passwords, a utility is available to convert the complete user database.
Once this has been run, THERE IS NO GOING BACK! So think carefully before using it, and create a database backup first.
To use this utility, log in as main admin, then point your browser to yoursite/e107_files/utilities/passconv.php.
It provides options to back up (and restore) the relevant parts of your user database to a new table 'user_backup'.
Email address-related passwords must be added either before, or at the same time as, the conversion to salted passwords.
e107 v2.x