[Vtigercrm-developers] Encrypt portal users passwords?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[Vtigercrm-developers] Encrypt portal users passwords?

socialboostdk
Hi there,

Currently contacts / portal-users password are stored as plain-text. I have a request to change those into some encrypted form.

Anyone with experience with this? This will be required by law in many European countries pretty soon :-/

I want to do it in the way that is less invasive / does not alter too much in core, so future upgrades are not more troublesome than need be :-)

Thank you for any input!!

Best,
Chris

_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

Alan Lord (News)
On 21/02/17 17:23, socialboostdk wrote:
> Hi there,
>
> Currently contacts / portal-users password are stored as plain-text. I
> have a request to change those into some encrypted form.

This was changed in vtiger 6.5.0.

But the reset password functionality is broken.

Al

_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

socialboostdk
Excellent - thank you very much!

Ok, the reset functionality i can then just fix and send as a suggestion for the VT-team.

Do you know if its possible to pull that part isolated (the target implementation is vt 6.3) and implement, or does it involve a bigger part of the platform?

Best,
Chris

On 21 February 2017 at 18:45, Alan Lord <[hidden email]> wrote:
On 21/02/17 17:23, socialboostdk wrote:
Hi there,

Currently contacts / portal-users password are stored as plain-text. I
have a request to change those into some encrypted form.

This was changed in vtiger 6.5.0.

But the reset password functionality is broken.

Al

_______________________________________________
http://www.vtiger.com/


_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

its4you
Reset password functionality was added to vtiger Marketplace (we was
thinking about FREE extension), but was not published from this reason:

This module directly manipulates system table having confidential
information - not acceptable.

Matus

Dňa 22. 2. 2017 o 15:32 socialboostdk napísal(a):

> Excellent - thank you very much!
>
> Ok, the reset functionality i can then just fix and send as a suggestion
> for the VT-team.
>
> Do you know if its possible to pull that part isolated (the target
> implementation is vt 6.3) and implement, or does it involve a bigger
> part of the platform?
>
> Best,
> Chris
>
> On 21 February 2017 at 18:45, Alan Lord
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 21/02/17 17:23, socialboostdk wrote:
>
>         Hi there,
>
>         Currently contacts / portal-users password are stored as
>         plain-text. I
>         have a request to change those into some encrypted form.
>
>
>     This was changed in vtiger 6.5.0.
>
>     But the reset password functionality is broken.
>
>     Al
>
>     _______________________________________________
>     http://www.vtiger.com/
>
>
>
>
> _______________________________________________
> http://www.vtiger.com/
>


_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

Sutharsan Jeganathan
Hi Matus

Why did you release it as an extension. Even doesn't matter whether it is free, but I think it could be a bug fix into code.vtiger.com. Correct?

If it is an extension and if possible to modify system tables, it could be  a security threat when admin password is compromised. But I cannot see any restrictions of installing a module in module manager, which can modify system tables. In this case you said is correct.


Thanks
Sutharsan Jeganathan

On Wed, Feb 22, 2017 at 9:01 PM, IT-Solutions4You <[hidden email]> wrote:
Reset password functionality was added to vtiger Marketplace (we was thinking about FREE extension), but was not published from this reason:

This module directly manipulates system table having confidential information - not acceptable.

Matus

Dňa 22. 2. 2017 o 15:32 socialboostdk napísal(a):
Excellent - thank you very much!

Ok, the reset functionality i can then just fix and send as a suggestion
for the VT-team.

Do you know if its possible to pull that part isolated (the target
implementation is vt 6.3) and implement, or does it involve a bigger
part of the platform?

Best,
Chris

On 21 February 2017 at 18:45, Alan Lord
<[hidden email]
<mailto:[hidden email]>> wrote:

    On 21/02/17 17:23, socialboostdk wrote:

        Hi there,

        Currently contacts / portal-users password are stored as
        plain-text. I
        have a request to change those into some encrypted form.


    This was changed in vtiger 6.5.0.

    But the reset password functionality is broken.

    Al

    _______________________________________________
    http://www.vtiger.com/




_______________________________________________
http://www.vtiger.com/



_______________________________________________
http://www.vtiger.com/


_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

Doug-116
Because vtiger is slow and some times never applies submitted bug fixes

On Feb 22, 2017 10:59 AM, "Sutharsan Jeganathan" <[hidden email]> wrote:
Hi Matus

Why did you release it as an extension. Even doesn't matter whether it is free, but I think it could be a bug fix into code.vtiger.com. Correct?

If it is an extension and if possible to modify system tables, it could be  a security threat when admin password is compromised. But I cannot see any restrictions of installing a module in module manager, which can modify system tables. In this case you said is correct.


Thanks
Sutharsan Jeganathan

On Wed, Feb 22, 2017 at 9:01 PM, IT-Solutions4You <[hidden email]> wrote:
Reset password functionality was added to vtiger Marketplace (we was thinking about FREE extension), but was not published from this reason:

This module directly manipulates system table having confidential information - not acceptable.

Matus

Dňa 22. 2. 2017 o 15:32 socialboostdk napísal(a):
Excellent - thank you very much!

Ok, the reset functionality i can then just fix and send as a suggestion
for the VT-team.

Do you know if its possible to pull that part isolated (the target
implementation is vt 6.3) and implement, or does it involve a bigger
part of the platform?

Best,
Chris

On 21 February 2017 at 18:45, Alan Lord
<[hidden email]
<mailto:[hidden email]>> wrote:

    On 21/02/17 17:23, socialboostdk wrote:

        Hi there,

        Currently contacts / portal-users password are stored as
        plain-text. I
        have a request to change those into some encrypted form.


    This was changed in vtiger 6.5.0.

    But the reset password functionality is broken.

    Al

    _______________________________________________
    http://www.vtiger.com/




_______________________________________________
http://www.vtiger.com/



_______________________________________________
http://www.vtiger.com/


_______________________________________________
http://www.vtiger.com/

_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

its4you
In reply to this post by Sutharsan Jeganathan
We release it as extensions because we have add action link to Contact
module "Reset CP password" and this change is not ? possible to track in
code.vtiger.com. We have add some Merge request which can be merged
imeditaelly, like this one:
http://code.vtiger.com/vtiger/vtigercrm/merge_requests/160 but nothing is

Other point is I really don't know what are "system tables". I suppose
vtiger_tab and vtiger_fields are also system tables and each extension
can modify it.


Matus.

Dňa 22. 2. 2017 o 16:57 Sutharsan Jeganathan napísal(a):

> Hi Matus
>
> Why did you release it as an extension. Even doesn't matter whether it
> is free, but I think it could be a bug fix into code.vtiger.com
> <http://code.vtiger.com>. Correct?
>
> If it is an extension and if possible to modify system tables, it could
> be  a security threat when admin password is compromised. But I cannot
> see any restrictions of installing a module in module manager, which can
> modify system tables. In this case you said is correct.
>
>
> Thanks
> Sutharsan Jeganathan
>
> On Wed, Feb 22, 2017 at 9:01 PM, IT-Solutions4You
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Reset password functionality was added to vtiger Marketplace (we was
>     thinking about FREE extension), but was not published from this reason:
>
>     This module directly manipulates system table having confidential
>     information - not acceptable.
>
>     Matus
>
>     Dňa 22. 2. 2017 o 15:32 socialboostdk napísal(a):
>
>         Excellent - thank you very much!
>
>         Ok, the reset functionality i can then just fix and send as a
>         suggestion
>         for the VT-team.
>
>         Do you know if its possible to pull that part isolated (the target
>         implementation is vt 6.3) and implement, or does it involve a bigger
>         part of the platform?
>
>         Best,
>         Chris
>
>         On 21 February 2017 at 18:45, Alan Lord
>         <[hidden email]
>         <mailto:[hidden email]>
>         <mailto:[hidden email]
>         <mailto:[hidden email]>>> wrote:
>
>             On 21/02/17 17:23, socialboostdk wrote:
>
>                 Hi there,
>
>                 Currently contacts / portal-users password are stored as
>                 plain-text. I
>                 have a request to change those into some encrypted form.
>
>
>             This was changed in vtiger 6.5.0.
>
>             But the reset password functionality is broken.
>
>             Al
>
>             _______________________________________________
>             http://www.vtiger.com/
>
>
>
>
>         _______________________________________________
>         http://www.vtiger.com/
>
>
>
>     _______________________________________________
>     http://www.vtiger.com/
>
>
>
>
> _______________________________________________
> http://www.vtiger.com/
>


_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

socialboostdk
In reply to this post by its4you
Hi there,

Ok - despite the lack of submission-success, i think this sounds good! Would you be able to share this code, ten i can try local implementation?

Thanks!

Best,
Chris

On 22 February 2017 at 16:31, IT-Solutions4You <[hidden email]> wrote:
Reset password functionality was added to vtiger Marketplace (we was thinking about FREE extension), but was not published from this reason:

This module directly manipulates system table having confidential information - not acceptable.

Matus

Dňa 22. 2. 2017 o 15:32 socialboostdk napísal(a):
Excellent - thank you very much!

Ok, the reset functionality i can then just fix and send as a suggestion
for the VT-team.

Do you know if its possible to pull that part isolated (the target
implementation is vt 6.3) and implement, or does it involve a bigger
part of the platform?

Best,
Chris

On 21 February 2017 at 18:45, Alan Lord
<[hidden email]
<mailto:[hidden email]>> wrote:

    On 21/02/17 17:23, socialboostdk wrote:

        Hi there,

        Currently contacts / portal-users password are stored as
        plain-text. I
        have a request to change those into some encrypted form.


    This was changed in vtiger 6.5.0.

    But the reset password functionality is broken.

    Al

    _______________________________________________
    http://www.vtiger.com/




_______________________________________________
http://www.vtiger.com/



_______________________________________________
http://www.vtiger.com/


_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

Błażej Pabiszczak
In reply to this post by Doug-116

Exactly like SuiteCRM that has 617 open issues [which is 35% of all their issues], including 421 errors. How can somebody publish a system as stable if it has so many errors that haven’t been fixed since the project launched [some are 3 years old already]… They’ll most likely do what Vtiger does every 3~4 years, which is changing the error reporting system :]

---
Z poważaniem / Regards
 
Błażej Pabiszczak
Chief Executive Officer
M: +48.884999123
E: [hidden email]


W dniu 2017-02-22 23:32, Doug napisał(a):

Because vtiger is slow and some times never applies submitted bug fixes

On Feb 22, 2017 10:59 AM, "Sutharsan Jeganathan" <[hidden email]> wrote:
Hi Matus

Why did you release it as an extension. Even doesn't matter whether it is free, but I think it could be a bug fix into code.vtiger.com. Correct?

If it is an extension and if possible to modify system tables, it could be  a security threat when admin password is compromised. But I cannot see any restrictions of installing a module in module manager, which can modify system tables. In this case you said is correct.


Thanks
Sutharsan Jeganathan

On Wed, Feb 22, 2017 at 9:01 PM, IT-Solutions4You <[hidden email]> wrote:
Reset password functionality was added to vtiger Marketplace (we was thinking about FREE extension), but was not published from this reason:

This module directly manipulates system table having confidential information - not acceptable.

Matus

Dňa 22. 2. 2017 o 15:32 socialboostdk napísal(a):
Excellent - thank you very much!

Ok, the reset functionality i can then just fix and send as a suggestion
for the VT-team.

Do you know if its possible to pull that part isolated (the target
implementation is vt 6.3) and implement, or does it involve a bigger
part of the platform?

Best,
Chris

On 21 February 2017 at 18:45, Alan Lord
<[hidden email]
<mailto:[hidden email]>> wrote:

    On 21/02/17 17:23, socialboostdk wrote:

        Hi there,

        Currently contacts / portal-users password are stored as
        plain-text. I
        have a request to change those into some encrypted form.


    This was changed in vtiger 6.5.0.

    But the reset password functionality is broken.

    Al

    _______________________________________________
    http://www.vtiger.com/




_______________________________________________
http://www.vtiger.com/


_______________________________________________
http://www.vtiger.com/

_______________________________________________
http://www.vtiger.com/

_______________________________________________
http://www.vtiger.com/

_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

socialboostdk
In reply to this post by its4you
Hi Matus,

Would it be possible to see the reset CP password code you're referring to? It would be a great help for me :-)

Thanks!

On 23 February 2017 at 09:10, IT-Solutions4You <[hidden email]> wrote:
We release it as extensions because we have add action link to Contact module "Reset CP password" and this change is not ? possible to track in code.vtiger.com. We have add some Merge request which can be merged imeditaelly, like this one: http://code.vtiger.com/vtiger/vtigercrm/merge_requests/160 but nothing is

Other point is I really don't know what are "system tables". I suppose vtiger_tab and vtiger_fields are also system tables and each extension can modify it.


Matus.

Dňa 22. 2. 2017 o 16:57 Sutharsan Jeganathan napísal(a):
Hi Matus

Why did you release it as an extension. Even doesn't matter whether it
is free, but I think it could be a bug fix into code.vtiger.com
<http://code.vtiger.com>. Correct?

If it is an extension and if possible to modify system tables, it could
be  a security threat when admin password is compromised. But I cannot
see any restrictions of installing a module in module manager, which can
modify system tables. In this case you said is correct.


Thanks
Sutharsan Jeganathan

On Wed, Feb 22, 2017 at 9:01 PM, IT-Solutions4You
<[hidden email]
<mailto:[hidden email]>> wrote:

    Reset password functionality was added to vtiger Marketplace (we was
    thinking about FREE extension), but was not published from this reason:

    This module directly manipulates system table having confidential
    information - not acceptable.

    Matus

    Dňa 22. 2. 2017 o 15:32 socialboostdk napísal(a):

        Excellent - thank you very much!

        Ok, the reset functionality i can then just fix and send as a
        suggestion
        for the VT-team.

        Do you know if its possible to pull that part isolated (the target
        implementation is vt 6.3) and implement, or does it involve a bigger
        part of the platform?

        Best,
        Chris

        On 21 February 2017 at 18:45, Alan Lord
        <[hidden email]
        <mailto:[hidden email]>
        <mailto:[hidden email]
        <mailto:[hidden email]>>> wrote:

            On 21/02/17 17:23, socialboostdk wrote:

                Hi there,

                Currently contacts / portal-users password are stored as
                plain-text. I
                have a request to change those into some encrypted form.


            This was changed in vtiger 6.5.0.

            But the reset password functionality is broken.

            Al

            _______________________________________________
            http://www.vtiger.com/




        _______________________________________________
        http://www.vtiger.com/



    _______________________________________________
    http://www.vtiger.com/




_______________________________________________
http://www.vtiger.com/



_______________________________________________
http://www.vtiger.com/


_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

its4you
A bit later but still
http://www.its4you.sk/en/vtiger-extensions/free/reset-customer-portal-password

Matus


Dňa 14. 3. 2017 o 8:46 socialboostdk napísal(a):

> Hi Matus,
>
> Would it be possible to see the reset CP password code you're referring
> to? It would be a great help for me :-)
>
> Thanks!
>
> On 23 February 2017 at 09:10, IT-Solutions4You
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     We release it as extensions because we have add action link to
>     Contact module "Reset CP password" and this change is not ? possible
>     to track in code.vtiger.com <http://code.vtiger.com>. We have add
>     some Merge request which can be merged imeditaelly, like this one:
>     http://code.vtiger.com/vtiger/vtigercrm/merge_requests/160
>     <http://code.vtiger.com/vtiger/vtigercrm/merge_requests/160> but
>     nothing is
>
>     Other point is I really don't know what are "system tables". I
>     suppose vtiger_tab and vtiger_fields are also system tables and each
>     extension can modify it.
>
>
>     Matus.
>
>     Dňa 22. 2. 2017 o 16:57 Sutharsan Jeganathan napísal(a):
>
>         Hi Matus
>
>         Why did you release it as an extension. Even doesn't matter
>         whether it
>         is free, but I think it could be a bug fix into code.vtiger.com
>         <http://code.vtiger.com>
>         <http://code.vtiger.com>. Correct?
>
>         If it is an extension and if possible to modify system tables,
>         it could
>         be  a security threat when admin password is compromised. But I
>         cannot
>         see any restrictions of installing a module in module manager,
>         which can
>         modify system tables. In this case you said is correct.
>
>
>         Thanks
>         Sutharsan Jeganathan
>
>         On Wed, Feb 22, 2017 at 9:01 PM, IT-Solutions4You
>         <[hidden email]
>         <mailto:[hidden email]>
>         <mailto:[hidden email]
>         <mailto:[hidden email]>>> wrote:
>
>              Reset password functionality was added to vtiger
>         Marketplace (we was
>              thinking about FREE extension), but was not published from
>         this reason:
>
>              This module directly manipulates system table having
>         confidential
>              information - not acceptable.
>
>              Matus
>
>              Dňa 22. 2. 2017 o 15:32 socialboostdk napísal(a):
>
>                  Excellent - thank you very much!
>
>                  Ok, the reset functionality i can then just fix and
>         send as a
>                  suggestion
>                  for the VT-team.
>
>                  Do you know if its possible to pull that part isolated
>         (the target
>                  implementation is vt 6.3) and implement, or does it
>         involve a bigger
>                  part of the platform?
>
>                  Best,
>                  Chris
>
>                  On 21 February 2017 at 18:45, Alan Lord
>                  <[hidden email]
>         <mailto:[hidden email]>
>                
>         <mailto:[hidden email]
>         <mailto:[hidden email]>>
>                
>         <mailto:[hidden email]
>         <mailto:[hidden email]>
>                
>         <mailto:[hidden email]
>         <mailto:[hidden email]>>>> wrote:
>
>                      On 21/02/17 17:23, socialboostdk wrote:
>
>                          Hi there,
>
>                          Currently contacts / portal-users password are
>         stored as
>                          plain-text. I
>                          have a request to change those into some
>         encrypted form.
>
>
>                      This was changed in vtiger 6.5.0.
>
>                      But the reset password functionality is broken.
>
>                      Al
>
>                      _______________________________________________
>         http://www.vtiger.com/
>
>
>
>
>                  _______________________________________________
>         http://www.vtiger.com/
>
>
>
>              _______________________________________________
>         http://www.vtiger.com/
>
>
>
>
>         _______________________________________________
>         http://www.vtiger.com/
>
>
>
>     _______________________________________________
>     http://www.vtiger.com/
>
>
>
>
> _______________________________________________
> http://www.vtiger.com/
>


_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt portal users passwords?

socialboostdk
Super! Thanks :) :)

On 22 June 2017 at 13:26, IT-Solutions4You <[hidden email]> wrote:
A bit later but still
http://www.its4you.sk/en/vtiger-extensions/free/reset-customer-portal-password

Matus


Dňa 14. 3. 2017 o 8:46 socialboostdk napísal(a):
Hi Matus,

Would it be possible to see the reset CP password code you're referring to? It would be a great help for me :-)

Thanks!

On 23 February 2017 at 09:10, IT-Solutions4You <[hidden email] <mailto:[hidden email]>> wrote:

    We release it as extensions because we have add action link to
    Contact module "Reset CP password" and this change is not ? possible
    to track in code.vtiger.com <http://code.vtiger.com>. We have add

    some Merge request which can be merged imeditaelly, like this one:
    http://code.vtiger.com/vtiger/vtigercrm/merge_requests/160
    <http://code.vtiger.com/vtiger/vtigercrm/merge_requests/160> but
    nothing is

    Other point is I really don't know what are "system tables". I
    suppose vtiger_tab and vtiger_fields are also system tables and each
    extension can modify it.


    Matus.

    Dňa 22. 2. 2017 o 16:57 Sutharsan Jeganathan napísal(a):

        Hi Matus

        Why did you release it as an extension. Even doesn't matter
        whether it
        is free, but I think it could be a bug fix into code.vtiger.com
        <http://code.vtiger.com>
        <http://code.vtiger.com>. Correct?

        If it is an extension and if possible to modify system tables,
        it could
        be  a security threat when admin password is compromised. But I
        cannot
        see any restrictions of installing a module in module manager,
        which can
        modify system tables. In this case you said is correct.


        Thanks
        Sutharsan Jeganathan

        On Wed, Feb 22, 2017 at 9:01 PM, IT-Solutions4You
        <[hidden email]
        <mailto:[hidden email]>
        <mailto:[hidden email]

        <mailto:[hidden email]>>> wrote:

             Reset password functionality was added to vtiger
        Marketplace (we was
             thinking about FREE extension), but was not published from
        this reason:

             This module directly manipulates system table having
        confidential
             information - not acceptable.

             Matus

             Dňa 22. 2. 2017 o 15:32 socialboostdk napísal(a):

                 Excellent - thank you very much!

                 Ok, the reset functionality i can then just fix and
        send as a
                 suggestion
                 for the VT-team.

                 Do you know if its possible to pull that part isolated
        (the target
                 implementation is vt 6.3) and implement, or does it
        involve a bigger
                 part of the platform?

                 Best,
                 Chris

                 On 21 February 2017 at 18:45, Alan Lord
                 <[hidden email]
        <mailto:[hidden email]>
                        <mailto:[hidden email]
        <mailto:[hidden email]>>
                        <mailto:[hidden email]
        <mailto:[hidden email]>
                        <mailto:[hidden email]
        <mailto:[hidden email]>>>> wrote:

                     On 21/02/17 17:23, socialboostdk wrote:

                         Hi there,

                         Currently contacts / portal-users password are
        stored as
                         plain-text. I
                         have a request to change those into some
        encrypted form.


                     This was changed in vtiger 6.5.0.

                     But the reset password functionality is broken.

                     Al

                     _______________________________________________
        http://www.vtiger.com/




                 _______________________________________________
        http://www.vtiger.com/



             _______________________________________________
        http://www.vtiger.com/




        _______________________________________________
        http://www.vtiger.com/



    _______________________________________________
    http://www.vtiger.com/




_______________________________________________
http://www.vtiger.com/



_______________________________________________
http://www.vtiger.com/


_______________________________________________
http://www.vtiger.com/