Jump to content

Recommended Posts

Posted

For example, the enom module stores and displays the account password in plain text.  It would add a bit of peace of mind if this could be stored using some sort of two-way encryption like mcrypt perhaps and then obviously displayed as a password field and not plain text.

 

This would probably be a pretty minor fix.

Posted
  On 10/11/2014 at 3:29 PM, Licensecart said:

+1 would be nice if it was bcrypt & SHA256 or something which Blesta uses :D

 

To my knowledge bcrypt isn't reversible.  Whatever is used has to be reversible since the password has to be sent to the API as the password, not an ecrypted value.

Posted
  On 10/11/2014 at 3:31 PM, Jonathan said:

To my knowledge bcrypt isn't reversible.  Whatever is used has to be reversible since the password has to be sent to the API as the password, not an ecrypted value.

 

Blesta has a decryption for their sort of encryption things so they can use what they do for fields and card details :D

Posted

Service meta data (service_fields table values) can be encrypted with AES256. The module controls this, and an example is the cPanel module, which encrypts cPanel passwords. I believe module row data can also be encrypted, but Cody or Tyson will need to confirm.

Posted
  On 10/11/2014 at 4:10 PM, Paul said:

Service meta data (service_fields table values) can be encrypted with AES256. The module controls this, and an example is the cPanel module, which encrypts cPanel passwords. I believe module data can also be encrypted, but Cody or Tyson will need to confirm.

 

Great!  Then I guess my request is even easier: lets make this default for the key/password field in the enom module in the core release so I don't have to merge changes every release.  It's a better default setting anyway, why not secure anything powerful since the ability is already there and sounds so easy to use.  A tad bit of overhead for decryption here is not a bad tradeoff for immensely better storage of such credentials.

Posted
  On 10/11/2014 at 4:10 PM, Paul said:

Service meta data (service_fields table values) can be encrypted with AES256. The module controls this, and an example is the cPanel module, which encrypts cPanel passwords. I believe module row data can also be encrypted, but Cody or Tyson will need to confirm.

 

That's it :D haha AES256, can maybe all modules on Blesta encrypt the passwords with it mate?

Posted
  On 10/11/2014 at 3:26 PM, Jonathan said:

For example, the enom module stores and displays the account password in plain text.  It would add a bit of peace of mind if this could be stored using some sort of two-way encryption like mcrypt perhaps and then obviously displayed as a password field and not plain text.

 

This would probably be a pretty minor fix.

Blesta does able to encrypt every field with a simple modification :)

For exemple the Private Notes encrypted that we have relesed or the openSRS modules, aldo has the keys and salti hash encrypted o database :)

Posted

The enom module already encrypts the API key. The only other module data stored is the username and whether or not sandbox should be used. Neither of which need to be encrypted.

 

It's important to keep in mind that encrypted text is unsearchable.

Posted

Hmm looks like you're right.  The display of it in plain text threw me.

 

Would love it if the text box for the field could be converted to type="password".

Posted
  On 10/13/2014 at 11:17 PM, Cody said:

The enom module already encrypts the API key. The only other module data stored is the username and whether or not sandbox should be used. Neither of which need to be encrypted.

 

It's important to keep in mind that encrypted text is unsearchable.

 

 

I think its because the <input type="text" and i should be <input type="password" that is not available in the core funtion the type "password" (I have tried in Blesta 3.1 for the InternetBS Module and I saw that is not available the type password)

Posted
  On 10/14/2014 at 9:45 AM, PauloV said:

I think its because the <input type="text" and i should be <input type="password" that is not available in the core funtion the type "password" (I have tried in Blesta 3.1 for the InternetBS Module and I saw that is not available the type password)

 

That's not true.

<?php
$this->Form->fieldPassword("field_name", array('value' => "field_value"));
?>
Posted
  On 10/14/2014 at 3:14 PM, Cody said:

 

That's not true.

<?php
$this->Form->fieldPassword("field_name", array('value' => "field_value"));
?>

 

 

You are right Cody :)

 

I have found what I did rong :)

 

In the past I had try like this:

$this->Form->fieldPassword("hashkey", $this->Html->ifSet($vars->hashkey), array('id' => "hashkey"));

And as you can see I only changed the "fieldText" to "fieldPassword", and I can see its not complete (beginners, that didnt saw correctly the blesta classes) :P

 

and the correct id add an Array to the "types" like so:

$this->Form->fieldPassword("hashkey", array('value' => $this->Html->ifSet($vars->hashkey), 'id' => "hashkey"));

And voila its working :)

 

Alredy implemented in all our Modules/Plugins that asks for sensitive data ;)

 

Thanks cody for clarifing that, and sorry to misleading people :(

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...