Search…

X3 Photo Gallery Support Forums

Search…
 
wtremmel
Topic Author
Posts: 1
Joined: 13 Sep 2019, 09:59

Password storage

13 Sep 2019, 11:58

Hello,

I just tried out X3 and it really looks great.

What was not so great, is that I found my panel password and all user passwords as clear text in files.
How can it be that they are not hashed before storage? This is 2019. Anything that can be cracked will be - its just a matter of time.
Especially in a hosted environment where you do not have full control over the server.

Are there any plans for encrypted storage of passwords in X3?

Wolfgang
 
User avatar
mjau-mjau
X3 Wizard
Posts: 12303
Joined: 30 Sep 2006, 03:37

Re: Password storage

13 Sep 2019, 23:40

Hi.
wtremmel wrote:What was not so great, is that I found my panel password and all user passwords as clear text in files.
You are right. Encrypted passwords has already been scheduled, and I will be adding it to next X3 release!

I would like to make it 100% clear however, that your config.user.json file (where password is stored) is by no means accessible or readable to the outside world. For example from our demo:
demo.photo.gallery/config/config.user.json [forbidden]

Also, if you use the X3 panel database-version, logins are stored and encrypted in a database instead.
wtremmel wrote:Anything that can be cracked will be - its just a matter of time.
Especially in a hosted environment where you do not have full control over the server.
No CMS can truly protect you from users that have access to your server. They would already have access to your files and folders, and even Joomla and Wordpress need to store database login credentials in a file, which would make it easy to hi-jack the database (inject or modify users). Furthermore, it would not be complicated to edit some PHP to bypass the login mechanism. Even if logins are encrypted, anyone with access to where the the login is stored (database or file), can easily reset or modify the password with their own (encrypted or not).

Just to re-emphasize, i DO AGREE that encrypted passwords would be beneficial. Logically, there is no real reason you will gain much security from passwords being stored encrypted. Of course, passwords should never really be readable in the first place!
wtremmel wrote:Are there any plans for encrypted storage of passwords in X3?
Next release. Thanks again!
 
User avatar
mjau-mjau
X3 Wizard
Posts: 12303
Joined: 30 Sep 2006, 03:37

Re: Password storage

28 Mar 2020, 10:21

New release X3.28.0 now encrypts panel login passwords for improved security. With encrypted passwords, the password field in panel settings will appear empty. This is because encrypted passwords are irreversible, and although X3 can "verify" correct password, it cannot decrypt or read the password into the panel.

PS! Passwords will NOT automatically be encrypted after updating existing X3 websites. If you want to encrypt your password, go to Settings › Panel, re-enter your password and click save. Upon save, new password will be encrypted and stored.


Read about latest release:
www.photo.gallery/blog/photo-gallery-x3-28/