2016-03-14, 04:53:44
(This post was last modified: 2016-03-14, 05:00:02 by HelgeSverre.)
(2016-03-14, 00:36:43)Bigin Wrote: You should never keep unhashed passwords in database/files
instead of
Code:$note->addCData($password);
at very least use:
Code:$xml->addChild('password', sha1($password.$a_random_salt));
$xml->addChild(‘salt‘, $a_random_salt);
addCData not required in this case.
Or even better, use PHP function specially intended for that:
http://php.net/manual/en/function.password-hash.php
regards
Yes, In ordinary circumstances it is true that you should never store passwords in cleartext as I have done, but in this case it does not need to be encrypted or hashed due to the following reasons:
- The password is supposed to be displayed in the page edit area. (Main reason why it is plain text)
- It is only view-able to admins.
- If someone gains access to your server (ftp, ssh or otherwise) you have bigger problems than a plaintext password protected page.
- The password is specific to only the page it is applied on, knowing this password does not give you any further privileges into the system.
(2016-03-13, 23:31:18)Charpy1 Wrote: Great idea!
I did a french lang file (http://get-simple.info/extend/plugin-language/french-language-for-password-protect-plugin/1023/ ), you may include it if you want.
Hmmm.. You are saving the password in clear text, aren't you?
Thanks!
I have included the translation in GitHub, will put it out into extend soon.