passwords stored in clear text?

Topics: Business Logic Layer
Jan 6, 2008 at 11:43 PM
Hi,

Having just installed the blog I started creating users and noticed that all passwords are stored in clear text in users.xml. Is there any plan to encrypt these and if so, approximately how long might it take to encrypt them?
Obviously, having someones' password easily readable by someone with (physical) access to the server is less than ideal.

Otherwise, good work!
Jan 7, 2008 at 12:28 AM
Do a search, this horse has been beat dead.

There are work arounds mentioned, no plan to change from BE's side of things.
Jan 7, 2008 at 1:35 AM
Thanks ckincincy. I had done a quick search, but not a deep one. I must say that I wouldn't call this horse beaten to death though from what I have read.

In particular I liked rwmnau's suggestion in http://www.codeplex.com/blogengine/Thread/View.aspx?ThreadId=19293 which alludes to simply storing a Hashed value in the XML file. It easily keeps away prying eyes and would satisfy most installations regarding privacy. Whilst (obviously) not foolproof for a C# hacker, this would definitely be a help.

As it is, there is absolutely no chance of me being allowed to install this blog in a company wide scenario.
Jan 7, 2008 at 1:53 AM
http://www.dscoduc.com/post/2007/12/Alternative-Membership-Provider-for-BlogEngineNet.aspx

Provides a fix for this issue.