Sign in to follow this  
Followers 0

4.0 - Login Handlers


Mark

Login Handlers are the different methods for logging into the IPS Social Suite. We currently support:

  • "Internal", which is for accounts created natively through the suite.
  • Facebook
  • Twitter
  • Microsoft (this is currently referred to as "Windows Live", though they rebranded to "Microsoft Account" a short while ago)
  • LDAP
  • "IPS Connect", which is our SSO solution for connecting your site with other IPS Social Suite installations or third-party applications.
  • A generic handler for any MySQL database you have access to.

In 4.0 we've made a number of changes to the Login Handlers which I wanted to mention.



Improved Password Encryption

We currently use a salted md5 hash for hashing passwords. md5 has been a popular password hashing technique for years - however, it is not the most secure hashing method.

md5 is designed to be computationally efficient (meaning generating a hash is quick). The problem with this is that if a server were ever compromised to the point that someone were able to gain access to a database containing passwords hashed using md5, and someone were to use a program to generate and hash different strings repeatedly until a match were found, the password could be worked out. One particularly well-known program claims to be able to make 5.6 billion md5 hashes per second with a relatively modern GPU. Even with our hashing method which includes multi-level hashing and a salt, this means, assuming an 8-character long password using only alphanumeric characters were used, a password could be calculated in about 3 days.

While I'm unaware of any cases of this actually happening, we want to make sure that our products are as secure as they can be. For this reason, in 4.0, we're migrating to Blowfish. Blowfish is a more cryptographically secure technique for generating hashes that is deliberately slow, meaning that even if your database were ever compromised, the passwords will still be secure.


New Login Handlers

In addition to the Login Handlers mentioned above, we've added support for Google and LinkedIn.


Improved Facebook and Twitter support

Currently, although you can log in with Facebook and Twitter, they're not treated on the back-end as true Login Handers. This is because of how Login Handlers in 3.x were designed (which was before such 3rd party login services were popular) in that they assumed you would provide a username (or email) and password directly into a form, and subsequently didn't accommodate the OAuth-style login processes.

Since we've rewritten the way Login Handlers are designed, this means we can treat Facebook and Twitter (and Google and LinkedIn which both also use OAuth) exactly the same as the rest.

Practically, this means you'll see Facebook and Twitter in the Login Handlers section of the Admin CP, and manage them as you would any other login method.


Updated Microsoft Support

Microsoft now support OAuth for login through them so we've updated to use that. In addition to being necessary for when they stop supporting the old way, it's much easier to set up for the administrator.


Sign in to follow this  
Followers 0


User Feedback




It would be cool that people would get prompted to add a local password for the forums too while they register via Facebook and Twitter!

Share this comment


Link to comment
Share on other sites

For this reason, in 4.0, we're migrating to

Blowfish

. Blowfish is a more cryptographically secure technique for generating hashes that is deliberately slow, meaning that even if your database were ever compromised, the passwords will still be secure.

Superb.  Will definitely discourage hackers from even bothering, if their efforts won't be easily/quickly rewarded.

Share this comment


Link to comment
Share on other sites

More development work for me to support Blowfish for 4.x for game board-service ! One of the other boards I've added custom authentication also opted using other powerful hashing method than md5. This is the case for Modx which uses PBKDF2. Took me a while to get the password matched though. But nice to see that IPB is using stronger password hashing method. :)

Share this comment


Link to comment
Share on other sites

How will blowfish be migrated? first login the hash will be changed or only new members will use blowfish?

Share this comment


Link to comment
Share on other sites

How will blowfish be migrated? first login the hash will be changed or only new members will use blowfish?

I imagine it will get switched over as people login (existing members).  It's the best way that makes the most sense.

Share this comment


Link to comment
Share on other sites

I imagine it will get switched over as people login (existing members).  It's the best way that makes the most sense.

 

There's a better way that doesn't involve maintaining old hashes and a legacy algorithm forever... you lay the new one on top of the old, and run all of the existing hashes through the added method. I don't know what they have planned, though.

 

I'm glad to hear this is changing. Any particular Blowfish variant?

Share this comment


Link to comment
Share on other sites

Great! It really bothered me when reading IPB 3! Exciting to get my hands on 4.0 beta! (Please release it soon!@#$#$ ;) otherwise what I'll have to do in my university lessons ? :P)

Share this comment


Link to comment
Share on other sites

0.o....

Is the google going to be a 'integrated' in the manner fb/twitter is(photo, status)(I smell a free mod dead....)?

Regardless, very nice, many things handled here oft-requested.

Share this comment


Link to comment
Share on other sites

STEAM.

 

Please consider adding native support for Steam login too. It's the de-facto game platform on PC and I see more and more gaming sites popping up with IP.Board as their 'CMS'. Many gaming orientated forum visitors do not like linking their online alias with their real-world identity (i.e Facebook, Google+, Microsoft or Twitter).

Share this comment


Link to comment
Share on other sites

 

:sad:

 

Though your point about placing one on top of the other is indeed the best way to do it, the upgrader would need to loop through every record and encode it with Blowfish - because Blowfish is deliberately slow, this would take literally days if you had any significant number of members, so this is the only way to do it ;)

 

 

0.o....

Is the google going to be a 'integrated' in the manner fb/twitter is(photo, status)(I smell a free mod dead....)?

Regardless, very nice, many things handled here oft-requested.

 

So far we've only done logins. I don't know if we'll add syncing in the same way we do for Facebook/Twitter yet.

 

Wait, you mean using Blowfish via Bcrypt or just Blowfish?

 

 

 

http://php.net/crypt

CRYPT_BLOWFISH

 

What about two factor authentication?

 

If you mean with regards to Google, yes, our implementation supports it. If you mean generally - multi-factor authentication is something we'd like to add to the IPS Social Suite, but we don't have any announcements to make about that right now.

Share this comment


Link to comment
Share on other sites

STEAM.

 

Please consider adding native support for Steam login too. It's the de-facto game platform on PC and I see more and more gaming sites popping up with IP.Board as their 'CMS'. Many gaming orientated forum visitors do not like linking their online alias with their real-world identity (i.e Facebook, Google+, Microsoft or Twitter).

 

It's for a gaming niche though - I doubt that IPS will have it built into the software, but Steam use OpenID... would be easy for a module to be made. ;)

 

Not saying I wouldn't like it built in, but I can't see it happening.

Share this comment


Link to comment
Share on other sites

hough your point about placing one on top of the other is indeed the best way to do it, the upgrader would need to loop through every record and encode it with Blowfish - because Blowfish is deliberately slow, this would take literally days if you had any significant number of members, so this is the only way to do it ;)

 

...You raise a very good point. That hadn't even occurred to me. Very well, carry on.

Share this comment


Link to comment
Share on other sites

There's a better way that doesn't involve maintaining old hashes and a legacy algorithm forever... you lay the new one on top of the old, and run all of the existing hashes through the added method. I don't know what they have planned, though.

Honestly I think the best way will be to force reset all passwords (set them all to blank so they HAVE to be reset), that way there's no traces of the old style hashes, which would make attacking the database completely useless.

Share this comment


Link to comment
Share on other sites

Is there a reason you opted not to use the new built-in password_hash() method in PHP? There's a library that provides compatibility to older versions: https://github.com/ircmaxell/password_compat

 

Because password_hash requires PHP 5.5, whereas crypt works on 5.3 (our minimum supported version) without requiring any additional libraries.

Share this comment


Link to comment
Share on other sites

Why would you use encryption for the password as opposed to a hash such as SHA-2 (or even SHA-3)? The guy who created Blowfish said in 2007 that he is amazed people are still using it and that he recommends Twofish instead.

Share this comment


Link to comment
Share on other sites

Why would you use encryption for the password as opposed to a hash such as SHA-2 (or even SHA-3)? The guy who created Blowfish said in 2007 that he is amazed people are still using it and that he recommends Twofish instead.

 

Blowfish is more than just an encryption algorithm. There are a number of variants which provide high-cost (= high-security) one-way hashing, and PHP's crypt implementation uses one of them. This is much better for the purpose than even SHA-2 or -3, which are built for generic hashing and not for password storage.

Share this comment


Link to comment
Share on other sites



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now