You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Nelson Carpentier <ne...@gmail.com> on 2007/01/16 15:25:07 UTC
For Realz?!?
Hey All...
So, I was lookin' through one of my Roller installs last night, 'cuz I
was having some trouble... But in the process I was taking a gander
through the database.
Then, in the immortal words of Keanu Reeves, I said "Whoa!" Was that
my password I spied, in plain text!?! Say it ain't so!!!
Did I have something mis-configured? I'm not sure, I'd have to check
my other Roller instance...
Is this by design? If it is, shouldn't we put a caution on the
"register" page encouraging people to have passwords different than
what they would normally use in a "high security" situation? (Even if
that is implicitly understood by tech-advanced people, the explicit
reminder to the less-techy or less careful wouldn't be wasted...)
If this *is* an oversight, I'll put an entry into JIRA. (I'd also
suggest we look at putting in some sort of preference for the login
page to be over HTTPS, then fall to HTTP when HTTPS is not
available...) I may be able to help work on the issue in the next
coming weeks as well, but I can guarantee, 'cuz I'm getting ready to
move...
Thanks all!
- Nelz
Re: For Realz?!?
Posted by Nelson Carpentier <ne...@gmail.com>.
I got a new install of Roller up an running last night, WITH the
password encryption working. Thanks for the help!
- Nelz
On 1/16/07, Nelson Carpentier <ne...@gmail.com> wrote:
> I think that the eventual move to a default of "true" is a good idea...
>
> In the meantime, maybe those password security settings should be
> highlighted under Section 8.1's "What properties you should set"
> heading in the Roller Install Guide.
>
> Thanx! (And sorry for being alarmist...)
>
> - Nelz
>
> On 1/16/07, Dave <sn...@gmail.com> wrote:
> > You can turn on password protection by overriding these properties:
> >
> > # Password security settings
> > passwds.encryption.enabled=false
> > passwds.encryption.algorithm=SHA
> >
> > We default it to false to avoid breaking earlier installations that
> > still use plain text passwords.
> >
> > Perhaps it's time to switch to true and document a utility to convert
> > passwords from unencrypted to encrypted (doc and fix this up:
> > http://tinyurl.com/yxttur).
> >
> > - Dave
> >
> >
> >
> > On 1/16/07, Nelson Carpentier <ne...@gmail.com> wrote:
> > > Hey All...
> > >
> > > So, I was lookin' through one of my Roller installs last night, 'cuz I
> > > was having some trouble... But in the process I was taking a gander
> > > through the database.
> > >
> > > Then, in the immortal words of Keanu Reeves, I said "Whoa!" Was that
> > > my password I spied, in plain text!?! Say it ain't so!!!
> > >
> > > Did I have something mis-configured? I'm not sure, I'd have to check
> > > my other Roller instance...
> > >
> > > Is this by design? If it is, shouldn't we put a caution on the
> > > "register" page encouraging people to have passwords different than
> > > what they would normally use in a "high security" situation? (Even if
> > > that is implicitly understood by tech-advanced people, the explicit
> > > reminder to the less-techy or less careful wouldn't be wasted...)
> > >
> > > If this *is* an oversight, I'll put an entry into JIRA. (I'd also
> > > suggest we look at putting in some sort of preference for the login
> > > page to be over HTTPS, then fall to HTTP when HTTPS is not
> > > available...) I may be able to help work on the issue in the next
> > > coming weeks as well, but I can guarantee, 'cuz I'm getting ready to
> > > move...
> > >
> > > Thanks all!
> > >
> > > - Nelz
> > >
> >
>
Re: For Realz?!?
Posted by Nelson Carpentier <ne...@gmail.com>.
I think that the eventual move to a default of "true" is a good idea...
In the meantime, maybe those password security settings should be
highlighted under Section 8.1's "What properties you should set"
heading in the Roller Install Guide.
Thanx! (And sorry for being alarmist...)
- Nelz
On 1/16/07, Dave <sn...@gmail.com> wrote:
> You can turn on password protection by overriding these properties:
>
> # Password security settings
> passwds.encryption.enabled=false
> passwds.encryption.algorithm=SHA
>
> We default it to false to avoid breaking earlier installations that
> still use plain text passwords.
>
> Perhaps it's time to switch to true and document a utility to convert
> passwords from unencrypted to encrypted (doc and fix this up:
> http://tinyurl.com/yxttur).
>
> - Dave
>
>
>
> On 1/16/07, Nelson Carpentier <ne...@gmail.com> wrote:
> > Hey All...
> >
> > So, I was lookin' through one of my Roller installs last night, 'cuz I
> > was having some trouble... But in the process I was taking a gander
> > through the database.
> >
> > Then, in the immortal words of Keanu Reeves, I said "Whoa!" Was that
> > my password I spied, in plain text!?! Say it ain't so!!!
> >
> > Did I have something mis-configured? I'm not sure, I'd have to check
> > my other Roller instance...
> >
> > Is this by design? If it is, shouldn't we put a caution on the
> > "register" page encouraging people to have passwords different than
> > what they would normally use in a "high security" situation? (Even if
> > that is implicitly understood by tech-advanced people, the explicit
> > reminder to the less-techy or less careful wouldn't be wasted...)
> >
> > If this *is* an oversight, I'll put an entry into JIRA. (I'd also
> > suggest we look at putting in some sort of preference for the login
> > page to be over HTTPS, then fall to HTTP when HTTPS is not
> > available...) I may be able to help work on the issue in the next
> > coming weeks as well, but I can guarantee, 'cuz I'm getting ready to
> > move...
> >
> > Thanks all!
> >
> > - Nelz
> >
>
Re: For Realz?!?
Posted by Dave <sn...@gmail.com>.
You can turn on password protection by overriding these properties:
# Password security settings
passwds.encryption.enabled=false
passwds.encryption.algorithm=SHA
We default it to false to avoid breaking earlier installations that
still use plain text passwords.
Perhaps it's time to switch to true and document a utility to convert
passwords from unencrypted to encrypted (doc and fix this up:
http://tinyurl.com/yxttur).
- Dave
On 1/16/07, Nelson Carpentier <ne...@gmail.com> wrote:
> Hey All...
>
> So, I was lookin' through one of my Roller installs last night, 'cuz I
> was having some trouble... But in the process I was taking a gander
> through the database.
>
> Then, in the immortal words of Keanu Reeves, I said "Whoa!" Was that
> my password I spied, in plain text!?! Say it ain't so!!!
>
> Did I have something mis-configured? I'm not sure, I'd have to check
> my other Roller instance...
>
> Is this by design? If it is, shouldn't we put a caution on the
> "register" page encouraging people to have passwords different than
> what they would normally use in a "high security" situation? (Even if
> that is implicitly understood by tech-advanced people, the explicit
> reminder to the less-techy or less careful wouldn't be wasted...)
>
> If this *is* an oversight, I'll put an entry into JIRA. (I'd also
> suggest we look at putting in some sort of preference for the login
> page to be over HTTPS, then fall to HTTP when HTTPS is not
> available...) I may be able to help work on the issue in the next
> coming weeks as well, but I can guarantee, 'cuz I'm getting ready to
> move...
>
> Thanks all!
>
> - Nelz
>