Announcement

#1 2018-11-12 16:30:20

NicoPL
Member
2017-07-06
6

Make sure the registration / login is secure

Hello,

What a surprise when I started to use Piwigo when I noticed that the passwords of users were sent by email, in clear text.
My friends and families were annoyed and scared of seeing their passwords not protected in emails.

So I have 2 questions:

- how can we disable the action of sending the password of users in the email when they choose "Send my connection settings by email". Why is not disabled by default?
- can you confirm that the login procedure is secured, and that login/passwords are not sent in clear in a request? I wish the password is not stored in clear in the database but a hash.

Best!

Piwigo version: 2.9.4
Piwigo URL: http://worldsways.org/gallery

Offline

 

#2 2018-11-12 20:50:23

executive
Member
2017-08-16
505

Re: Make sure the registration / login is secure

It's just pictures LOL. Not your bank account.

Online

 

#3 2018-11-13 01:39:40

erAck
Member
2015-09-06
171

Re: Make sure the registration / login is secure

Sending passwords in emails is ugly and a bad habit indeed. But what do you expect if you check the Send connection settings by email box under the Username/Password/Email fields when adding a user?

Other than that, if the connection is https then the login is secured, if it is http then of course it is not. This is something you as the site operator are responsible for.

The password is not stored in clear text but hashed.


Running Piwigo at https://erack.net/gallery/

Offline

 

#4 2018-11-13 11:04:10

NicoPL
Member
2017-07-06
6

Re: Make sure the registration / login is secure

Hi,

I thank you @erAck for such details.
In most of login procedures encountered on the Internet, the password is not sent. The hash process is sent by the server, and then the client send his/her password already hashed.

What I understand in here is that the password is sent through http or https.

Storing picture may seem not to be a big deal and would not require high authentification procedure (as @executive says). BUT I received several complaints because some of my users used passwords they also use for more critical websites.
And they are absolutely not reassured when receiving their password by email.
Even when checking the "Send connection settings by email" box, they were not expecting to receive their password.

Then, is it possible update the code to:
- upgrade the security process when dealing with authentification?
- remove the password from the email?

Cheers

Offline

 

#5 2018-11-13 19:03:13

erAck
Member
2015-09-06
171

Re: Make sure the registration / login is secure

NicoPL wrote:

In most of login procedures encountered on the Internet, the password is not sent. The hash process is sent by the server, and then the client send his/her password already hashed.

I don't believe that's done "in most of login procedures", if any. And doing so would be pointless because then it would be the same as if the password was stored in clear text and sent by the client in clear text. Sending a hash to compare against a stored hash is not much different, a stolen hash would be as good as a stolen password. You could combine the hashing with a challenge-response mechanism and get something like HTTP Authentication RFC 7235 which is done using HTTP header fields, maybe you're confusing things there.

The only thing that helps, also against stealing session keys and cookies, is a connection over https. And then transferring the password to let the server hash it is no problem.

I received several complaints because some of my users used passwords they also use for more critical websites.

That's clearly something they should not do.

Then, is it possible update the code to:
- remove the password from the email?

You can edit the file include/functions_user.inc.php and remove line 260 that reads

Code:

        get_l10n_args('Password: %s', stripslashes($password)),

Be aware though that a Piwigo upgrade will overwrite that file and you'll have to redo the change (or store a diff and apply the patch after an upgrade). If you use [extension by plg] Check Files Integrity to check file integrity you may also want to update the file's sha1sum in plugins/check_files_integrity/data/piwigo-2.9.4-sums.txt (or corresponding to your version) to not get annoyed by its hits.


Running Piwigo at https://erack.net/gallery/

Offline

 

#6 2018-11-13 22:21:47

executive
Member
2017-08-16
505

Re: Make sure the registration / login is secure

erAck wrote:

I received several complaints because some of my users used passwords they also use for more critical websites.

That's clearly something they should not do.

Exactly. That is their own fault.

Online

 

#7 2018-11-14 15:14:17

NicoPL
Member
2017-07-06
6

Re: Make sure the registration / login is secure

executive wrote:

Exactly. That is their own fault.

Thank you but your troll doesn't help us.
It's not because some users may not be as aware as you about security issues that we don't have any responsibility in avoiding them to be in trouble. If we are aware, we do the job.

Keeping a hash of the passwords in the database, but sending by email the password in plain text is nonsense for me.

erAck wrote:

I don't believe that's done "in most of login procedures"

My mistake, I apologise. I was confused about the "challenge/response" process and the "salting" process.


I still believe that this is a wrong practice to send a password in plain text by email.
I'm not the only one to think so:
https://www.google.com/search?&q=co … gistration

You can even find a tumblr http://plaintextoffenders.com/ that lists all websites with wrong practices.

erAck wrote:

You can edit the file include/functions_user.inc.php and remove line 260 that reads

Thanks a lot for that, I wish we could remove it by default in the next upgrades of Piwigo.

Offline

 

#8 2018-11-14 18:09:46

flop25
Piwigo Team
2006-07-06
6918

Re: Make sure the registration / login is secure

Keeping a hash of the passwords in the database, but sending by email the password in plain text is nonsense for me.

for you certainly
but that's two different things
to get the password by email, it would require a surveillance of network at the instant of the transaction and the failure of security along the line
to get the password from db, it requires an access and a very very very long time to decrypt it
both are not 100% hack proof
both are certainly secure enough for anyone not highly targeted

There is a HUGE difference between sending the password in plain text AFTER the storage in database and at the moment of its creation. And people from what you're quoting are confusing both


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#9 2018-11-14 18:10:49

flop25
Piwigo Team
2006-07-06
6918

Re: Make sure the registration / login is secure

instead of changing core files you probably can intercept the password via a trigger and/or change the template for public registration


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#10 2018-11-14 21:17:17

executive
Member
2017-08-16
505

Re: Make sure the registration / login is secure

It's not trolling just common sense . It's like handing out keys to my house to everybody.

Online

 

#11 2018-11-16 09:55:37

NicoPL
Member
2017-07-06
6

Re: Make sure the registration / login is secure

flop25 wrote:

There is a HUGE difference between sending the password in plain text AFTER the storage in database and at the moment of its creation.

Yes I do agree with that. I understood that the password is stored hashed in the database, and I'm perfectly happy with that :)

flop25 wrote:

Instead of changing core files you probably can intercept the password via a trigger and/or change the template for public registration

Good idea! thank you for that, I'm gonna try it.

Offline

 

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2019 · Contact