kubajal
commented
5 years ago OK, after some more investigation I think that implementation would not be that hard. There are 2 things to do in order to encrypt passwords:
- encrypt all "password" fields, probably using Submissions Pre-Parser (is there a better way? I imagine there must be a more low-level way to do so for example hardcoding encryption in the module that implements all default field types, but I do not know which one that is),
- in the Users class of Submission accounts change:
- login function so that it validates passwords using the same encryption method as in 1.,
- sendPassword to generate a random password and send it to the user instead of sending the password from the database as plain text.
There are some more questions I have in mind:
- Would low-level encryption of all "password" fields have any impact on other modules than Submission Accounts?
- What encryption method would you recommend? Would password_hash() with PASSWORD_BCRYPT be sufficient?
mmelon
philipschilling
Hello, to begin with, Submission Accounts is a very useful module that I want to use in order to register editable submissions in my NGO organization. The problem I am facing is that according to https://docs.formtools.org/userdoc/field_types/ft_passwords/ fields of type "Password" are stored as plain text. It is possible to see their unencrypted value in the database, which imho discourages the usage of Submission Accounts. Is there any extension to Form Tools that encrypts password fields? If not, how would such an extension look like? Any tips would be welcome because I have only very basic knowledge of PHP. I assume that the prefered way to implement such a functionality is to use Submission Pre-Parser. There we can extract the password field from the POST request, use some kind of hashing to encrypt it and then save the result to the database, am I right? Thanks in advance.