02nd Jan 2012 Users - New password hash

Users - New password hashThe users module has been updated to use an improved method of hashing user passwords and we recommend that you update to version 2.0.0 as soon as possible.

The passwords used within DOCF have always been hashed to protect its users from people finding out their passwords, hashing stops passwords from being stored in cleartext meaning you cannot simply look in the database to compromise a users account.

We have taken the decision to move away from our current method of hashing passwords to the more secure blowfish algorithm, on top of this we provide a per user salt which changes each password change.

The reason for the change is simple, with todays computational power and the huge freely available lookup tables we deemed our current model was not as secure as we would wish it to be and set about to improve upon it.

The system is fully backwards compatible with the current password solution being offered, simply download the latest version (2.0.0) and replace the existing, the system will then detect the new changes and produce a warning instructing you to register the new module.

Register the module by clicking on the register module icon in the modules list and the internals for the database will be amended to support the extra fields needed. Once this is done then your system now supports the new authentication method as well as the old.

User accounts that are using the old authentication method will now be highlighted in red in the user listings screen within the management system, any users using the new authentication method will remain the existing colour.

When a user logs into the system the system knows which authentication method is being used and will authenticate with the appropriate system, the system will then automatically update the authenticated user to the new algorithm.

Any new users or amendments to users passwords will also use the new authentication scheme.

So to move a user account to the new authentication scheme, either login with that user or change the password for that user in the management system.

We have also introduced an account locking mechanism, which if you should get your password wrong 3 times will lock your account for 15 minutes, increasing by 5 minutes with each further unsuccessful attempt, so the 4th attempt would be 20 minutes and so forth.

After the account lock has expired, the lock will clear automatically and you can login again, alternatively another user can clear the lock on your behalf by saving your user account in the management system.

While we realise this may seem inconvenient to some users, it prevents unauthorised persons by simply trying random passwords until they gain access, this would quickly flag up any such activity and deny the user access.

With all these changes you can feel more comfortable that your password is safer, but remember it is only as safe as you make it and these measures do not do away for the need of a strong password that is kept secret from other people.