Update clear text passwords

[MuhammadWaqas05]

I did research about this issue.We can do it using encryption.It will take about 2 days to get completed.

[MuhammadWaqas05]

At the moment, any member's password is saved as a plain text,i.e: passwords are totally visible and understandable. Since, anyone can see the passwords from members db hence he can also log into other members account. We can fix this problem through "Password Encryption". There is a JavaScript library named as CryptoJS which is used to encrypt and decrypt any string.Here is overview of both terms: Encryption: Converting plain text To other text format(normally it is base64) Decryption: Converting the encrypted text to its plain text value. We can use the above mentioned library to do our password encryption and decryption work.Here are the flow of different scenarios in which it will be used: Scenario#1 Adding new Member(becoming new member): -The user will fill in the new member form and will set the password of his/her desire,lets say password is "bell". After that he/she will submit the form. -There will be a method which will encrypt the given password , e.g: "bell" is the password value and after encryption it is "787c78d787d97". -After encrypting the plain text password, member's record will be saved in the db with encrypted value of password.(Note: User will not be worried about encrypted value, he just have to log-in the normal way providing password in plain text format)

Scenario#2 Editing OR viewing the member details in the app: -When members will be edited or will open the member details page then the members will be shown there plain text password.The password of member will be fetched from db(which will be encrypted value) and it will be decrypted to its plain value to show it on details page. -If user changes the password then the steps will be same as scenario#1(last two steps).

Scenario#3 Member Login Form(Most important): -Member will enter login and password. -The member details of entered login will be fetched. -Decrypting the password value fetched from members db. -If the decrypted value of the password is some string then it means that the encryption were already used and it is a new community(no need to encrypt the password again as it is already saved in the db with encrypted value) -If the decrypted value of the password is null string, it means that the password was plain text and needs to be encrypted(it is an old member and old community). So it will be encrypted and hence saved into the db. -There will be no disturbance to the user(to get login etc.). Login and all the scenarios will run in there normal/original way for all communities(Older and New).

[MuhammadWaqas05]

Hi @Stephan, I came to know about your concern regarding base64, so I wanted to clear that I just shared it as an example to illustrate the encryption process. In actual, it has nothing to do with base64. Rather, it involves proper encryption algorithm known as AES (Advanced Encryption Standard) . You can find more about this on following links, http://www.movable-type.co.uk/scripts/aes.html https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

[dogi]

think we want something like

https://www.npmjs.com/package/bcryptjs

or

https://github.com/nevins-b/javascript-bcrypt

[MuhammadWaqas05]

We can use the above mentioned library to do our password hashing and then matching the saved hash.Here are the flow of different scenarios in which it will be used:

Scenario#1 Adding new Member(becoming new member): -After hashing the plain text password, member's record will be saved in the db with hash value of password.When user will log-in, his provided password will be converted to hash value and then this hash value will be matched with the db's hash value.(For checking his/her credentials i.e: login & password)

Scenario#2 Editing OR viewing the member details in the app: -When members will be edited or will open the member details page then the members will not be shown there passwords.The password field will be empty.When user will want to change password, the old password's hash will be matched with the hash password of member.The new changed password will be saved as hash value in db.

[dogi]

other Scenario is to use couchdb stuff for our purpose:

• http://guide.couchdb.org/draft/security.html
• http://www.staticshin.com/programming/what-does-_security-secure-in-couchdb/

[dogi]

couchdb user security:

{ "_id": "org.couchdb.user:test2", "_rev": "2-5ccb293e7ba5e0dda35f61bf1496de25", "password_scheme": "pbkdf2", "iterations": 10, "name": "test2", "roles": [ ], "type": "user", "derived_key": "260b16017d287f19ead59295762d310ed7af7ee9", "salt": "6e06d1e9aa9ed382d30bd5b9a1ad8a0b" }

-> https://en.wikipedia.org/wiki/PBKDF2

[sente]

@dogi and I confirmed these results by using https://github.com/mitsuhiko/python-pbkdf2

In [1]: from pbkdf2 import *

In [2]: print pbkdf2_hex('test2', '6e06d1e9aa9ed382d30bd5b9a1ad8a0b', 10, keylen=20)

260b16017d287f19ead59295762d310ed7af7ee9

This matches the derived_key from couchdb's user security.

[sente]

And here's the node's version of this, notable namely because of the sha1

var pbkdf2 = require('pbkdf2')
var derivedKey = pbkdf2.pbkdf2Sync('test2', '6e06d1e9aa9ed382d30bd5b9a1ad8a0b', 10, 20, 'sha1')
JSON.stringify(derivedKey)

What we need to do now is make this browserablek perhaps with https://www.npmjs.com/package/browserify

[sente]

This has been implemented:

https://github.com/open-learning-exchange/BeLL-Apps/commit/a379189bcdaaae96b2ba3718b7efb355f63ba841