teppo

Storing passwords in module config

Recommended Posts

I'm having problems with password inputs within module config:

First of all, it seems that simply inserting a Password inputfield and storing it's data isn't enough; everything seems to work fine, but password gets stored as plain text, which is obviously not a good idea. I could of course apply some custom logic here, but IMHO that shouldn't really be necessary (and it would most likely just create new security problems in the long run); am I missing something or is this a real problem?

Another thing is that within module config password input get saved each time module settings are saved, which doesn't seem like correct behavior; shouldn't these only get saved when value has changed? Current behavior forces user to re-insert her password each time module config is saved (this actually applies to other inputs also, though this is probably the only situation where it causes problems.)

I thought this latter problem could be avoided by setting password input value, but that doesn't seem to work either.. value is cleared at some later point, before input is rendered.

So, what am I doing wrong here and any ideas how to fix it? :)

  • Like 1

Share this post


Link to post
Share on other sites

Password field is not made for uae like this. Module config stores json array. But password needs to be a field on a page as it stores pass and salt. Also when using like you do you only use the inputfield and not the fieldtype which encrypts the data. You may consider using a page to store.

  • Like 1

Share this post


Link to post
Share on other sites

Password field is not made for uae like this. Module config stores json array. But password needs to be a field on a page as it stores pass and salt. Also when using like you do you only use the inputfield and not the fieldtype which encrypts the data. You may consider using a page to store.

Thanks, @Soma. You're probably right here (as always.)

Still having to create a special configuration page just because one module setting happens to be a password seems more than a bit awkward. I don't really see the connection between JSON and plain text; there's nothing wrong with storing a hash within JSON and I'm sure it could be done without clashing with "real" values -- especially considering that certain names are already "reserved" (anything starting with "_" won't get saved.) :)

Share this post


Link to post
Share on other sites

You could also add a password field to the admin template.

Share this post


Link to post
Share on other sites

Altering admin template would probably be fine if I planned this module only for my own use, but since that's not the case here it simply doesn't feel right :)

I'll probably take the custom page route here. Doesn't feel right and requires reinventing some things that default module config has already solved, but I don't really see any other options.

Share this post


Link to post
Share on other sites

Actually, there's one huge problem with my approach, which I only just realized (writing things up somewhere tends to help thinking process, should do that more often.)

In this case I need to know what that password is in order to use it for authentication with external service. Problem is that this pretty much forces me to write it somewhere in plain text or ask it every time connections to said service are made. Unless I'm missing something important here, that is.

So essentially module config storing password in plain text isn't really the problem here -- storing it securely but still using it this way is. Ideas, anyone? How do you usually solve this kind of problem.. or do you just avoid it? :)

Edit: taking a quick look at some related questions at Stack Overflow, I'm starting to think that encrypting the passwords stored in database and storing key either within module code or (probably as an alternative option) in a file within module directory might provide slightly improved security.

Still the real problem is that password is even required here.. and sadly that's something I have absolutely no way to bypass.

Edited by teppo

Share this post


Link to post
Share on other sites

Since the password has to be retained to send to the service at runtime, there's not much point in trying to hash it. And if you encrypt it, who are you ultimately trying to prevent from seeing it? I suppose it depends on what the password is ultimately used for. But I don't think you should try to over think it too much because we're talking about one password for [presumably] a non-critical service… not a database of passwords for multiple users that are likely spread out over multiple services. The problems from storing passwords in plain text or loosely hashed become real when you are dealing with user accounts at some scale beyond yourself. But in your case, in order for someone to get to that single password, they will have had to already compromised the system and broken into the database. So long as you aren't building a banking application or something high security, I think it's reasonable to just store the single password in the module config? After all, the database password itself is ultimately in plain text on all web servers too. But it is secure enough for all of us to trust our sites to. 

If you find that the password you need to store really is something that needs more security than the database itself, let me know and I may be able to suggest a couple things.

As for the inputfield, try using InputfieldText with ->attr('type', 'password'); rather than InputfieldPassword. InputfieldPassword assumes that the password is not reversible, so it doesn't attempt to re-populate the field with it. 

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By anttila
      We are developing an App that sends data over the Internet to ProcessWire (POST/JSON). We want password to be protected somehow when sending it, but I should be able to compare it to PW's passwords. We were thinking of using md5 encryption, but PW uses different encryption.
      How can I be sure that user has active account when they use the App?
    • By Robin S
      Password Generator
      Adds a password generator to InputfieldPassword.

       
      Usage
      Install the Password Generator module.
      Now any InputfieldPassword has a password generation feature. The settings for the generator are taken automatically from the settings* of the password field.
      *Settings not supported by the generator:
      Complexify: but generated passwords should still satisfy complexify settings in the recommended range. Banned words: but the generated passwords are random strings so actual words are unlikely to occur.  
      https://modules.processwire.com/modules/password-generator/
      https://github.com/Toutouwai/PasswordGenerator
    • By AndZyk
      Hello,
      can somebody tell me, if it is possible to get the clear password of an InputfieldPassword inside a module, before it is encrypted?
      I have made a custom module which sets the password of an Auth0User after the hook publishReady with a random generated password. When I try to get a clear password from a InputfieldPassword in this hook, it is of course already encrypted (which is of course good). But is there a hook before the encryption, so I could get it one time to send it to Auth0?
      If there is not such thing, could be another possibility to add a jQuery script to get the value directly from the DOM and save it somewhere temporarily?
      I know this might be an unusual question, but I would appreciate any feedback. 
      Regards, Andreas
    • By Slav
      Hey guys... Ok so I have a problem with a registration form password inputfield... The problem is that InputfieldPassword.js and InputfieldPassword.css are not loaded/fired. Or I dont even know exactly what is happening... Im pretty new to processwire and the website was not created by me so Im trying to figure out what has been done and how processwire works. Anyway this is how the form looks right now:

      ...and as you can see the styling is off (password validation check in particular)... this is what I see when page is loaded (without adding any input)... it looks like js and css files from wire/modules/Inputfield/InputfieldPassword are not firing... I dont know how it is supposed to work exactly so I dont even know where to start.
      Maybe someone has had similar problem and know an easy fix or can navigate me to what could cause this situation in PW.
      Oh by the way this problem occured when upgrading the PW version (current version 3.0.65)... everything else is ok... this is the only problem that has been found after upgrade...
      Appreciate all the help!
      Cheers!
    • By jen
      Yesterday we somehow lost access to all current admin, superuser/passwords to processwire.  We tried using the reset password form and nothing was sent.  We began noticing some of the menu buttons went missing as well as some photos.  Any suggestions how to resolve the login issue?