[freeside] Passwords over 12 chars

ivan at 420.am ivan at 420.am
Wed Sep 3 04:02:33 PDT 2003


On Tue, Sep 02, 2003 at 08:21:48AM -0700, Kristian Hoffmann wrote:
> 
> On Mon, 1 Sep 2003 ivan at 420.am wrote:
> 
> > Need another field in svc_acct for password encryption/encoding, values
> > like "none", "des" "md5", "blowfish".  Ticket 131 in the bug tracking
> > system.  Patches appriciated; this is high priority for 1.5.0.
> 
> Shouldn't that just be an export option?

No.  There might also be export options that control encryption of
exported passwords, but the field I'm talking about here defines the
encoding of the password in the svc_acct table itself.  If you import
DES-encrypted passwords into the database, they should be identified
with svc_acct._password_encoding set to "des", not because
svc-acct._password is 13 characters and matches a regex.

> Is it safe enough to assume that someone is going to store all plain
> text passwords, or md5 passwords, etc. for a given service definition?

No.  A common scenario is importing encrypted passwords from a legacy
system, but adding new passwords in plaintext.

> Plus, I'd hate to add yet another field in the already, mmmm, bloated
> svc_acct.

Bollocks.  :)

-- 
_ivan



More information about the freeside-users mailing list