[Important] ImpressCMS Website & User Accounts

With regards to THIS news article relating to the upgrade of the ImpressCMS Support WEbsites.

With the upgrade to our latest Version 1.1 on the ImpressCMS network sites, this upgrade offers us an opportunity to use some specific features of 1.1 which will improve security of the site and also protect password hashes of users stored in the Database.

However, in order for us to be able to achieve this goal, after the upgrade. we will need to change the password encryption method that the ImpressCMS network of sites will use.

at the moment users passwords are stored in the Database using an md5 hash, whilst the password is not plaintext, we know from past experience that md5 is no longer secure method, and if the site is compromised, we can't guarantee that your encrypted password will be safe from decryption.

I am proposing that we change the encryption on the sites to use a more secure method which is now available in version 1.1.

the new encryption to use I would say would either be sha256 or sha512 encryption and will use 2 seperate Salt keys of 64 characters each giving added protection, 1 of those being that users with the same password (it does happen) will not in future have the same password hash, hence further security in that regard.

In order to achieve this, once the encryption is changed on the site, every user account on the site will have their current password expired, which means autologin and password managers will fail (until they reset their password).
ImpressCMS 1.1 makes allowances for this, and upon 1st logging in after upgrade you will be presented with a password expired/reset password screen.

the screen is self explanatory, but in order for your password to be reset and hence allowing you to login you must fill out the form correctly. (see attached screenshot below)

You must enter the following information in order to reset your password.

1. Username.
2. Email address (the email address that is registered to that username).
3. Current password (this your current password)
4. new password (this will be your new password which you will use to login again - it can be the same password as your previous password, but is required in order to create a new salted password hash)

once complete, an email will be sent to the registered email address confirming that your password has been reset.

you can then login with your new password.

please discuss if you think we should go ahead with this move, and feel free to ask any questions regarding this move.

thanks

The ImpressCMS Team.

Attach file:

---

  Screenshot-User Login : ImpressCMS - Mozilla Firefox.png (0.00 KB)

Thanks for the excellent explanation Vaughan.

As one of the very cool feature we have introduced inn ImpressCMS 1.1, the password encryption is definitely something I feel we should be using on all our site.

if there would have been a way to use this awesome feature without having to ask everyone to reset their password, we would have done it. But there is unfortunately not a secure way to do this.

So, at the end of the day, we will all have to take 2 minutes of our time to reset our password once on this site to benefit from much more security. It goes without saying that we recommend every site that will be using ImpressCMS 1.1 to do so.

Although there is no way of protecting a site from 100% of hacking attempts, we feel that ImpressCMS 1.1 is the most secure version yet and we will keep improving it on a daily basis !

As usual, all comments are welcomed!

Good stuff

Quote:

Equal

please, do so.

Yup I'm in favour!