worrying password issue

If you're a new user of AppGini, feel free to ask general usage questions, or look for answers here.
Post Reply
graham
Veteran Member
Posts: 84
Joined: 2020-09-29 12:30

worrying password issue

Post by graham » 2020-11-17 17:45

Hi, I'm just about to do a soft-launch of first app tomorrow and came across a big issue concerning user password. I hadn't checked the requirements until now but have discovered it appears to be that just 4 characters is sufficient. So I searched the forum on how to change that. I tried changing the 4 to (whatever) in membership_profile.php, membership_signup.php, signup.php and language.php but it didn't make any difference (so I changed it back.) But the thing is - you can enter a 1 digit password and it will work! The standard code should be more than 4 (or have a choice in the admin settings) but that aside, can anyone suggest a fast fix (or think what the problem might be?)

pbottcher
AppGini Super Hero
AppGini Super Hero
Posts: 1635
Joined: 2018-04-01 10:12

Re: worrying password issue

Post by pbottcher » 2020-11-17 18:55

Hi,

for the signup, change the length in the membership_signup.php arround line 34

if(strlen($password) < 4 || trim($password) != $password){
Any help offered comes with the best of intentions. Use it at your own risk. In any case, please make a backup of your existing environment before applying any changes.

graham
Veteran Member
Posts: 84
Joined: 2020-09-29 12:30

Re: worrying password issue

Post by graham » 2020-11-17 20:33

Hi pböttcher,
I had tried that as I said, (and I tried it again after your suggestion) but no difference. A bit concerned about this because it questions the integrity of my app .. hopefully, can be resolved. I think I had better post as a bug to Ahmed. But in the meantime, any thoughts welcome.

SkayyHH
Veteran Member
Posts: 425
Joined: 2015-04-27 21:18

Re: worrying password issue

Post by SkayyHH » 2020-11-17 21:21

Hi,

please have a look at my last answer in this thread:

viewtopic.php?f=4&t=3397#p15393

I have the same challenge. maybe you can do it. I unfortunately do not :-(

graham
Veteran Member
Posts: 84
Joined: 2020-09-29 12:30

Re: worrying password issue

Post by graham » 2020-11-17 21:42

Tonight I have to prepare for the presentation of the app first thing tomorrow so I have to wait until later tomorrow. But I am concerned about this because if is as it appears, it's potentially a problem for everyone. Thank you SkayyHH for your comment. We have to get this straight. Hopefully I am wrong. I have reported it as a bug to Ahmed.

SkayyHH
Veteran Member
Posts: 425
Joined: 2015-04-27 21:18

Re: worrying password issue

Post by SkayyHH » 2020-11-17 22:06

please also take a look at this link. There is an other massive security problem waiting for you here. publicly accessible directories.

viewtopic.php?f=11&t=2856

Here's a solution for that. Olaf's is perfect.

graham
Veteran Member
Posts: 84
Joined: 2020-09-29 12:30

Re: worrying password issue

Post by graham » 2020-11-18 06:55

Thanks SkayyHH I can see that there are two big problems - the password and the uploaded files. Luckily, I don't have any uploaded files in my app. All are stored in Sharepoint/365. (My uses add the url links to the files in my appgini app.) But the password is a headache. All I can do in the short term is to disable the 'reset password' link. That way, my users have to use the password I set them. Only a very short term fix. Am I right on the password issue? If so, should we highlight this and ask Ahmed for a priority fix? Is that reasonable?

SkayyHH
Veteran Member
Posts: 425
Joined: 2015-04-27 21:18

Re: worrying password issue

Post by SkayyHH » 2020-11-18 07:26

Yes, insecure passwords are an absolute no go.

Appgini's hint if a password is safe or not does not work in general.

It works if I log in as a member and change the password via the "user profile". Then I have at least a hint that the password is not safe.

If I register a new member the hint for password security is not shown. Although the function is integrated in the "membership_profile.php" (look at /* password strength feedback */).

Here the check should also be displayed. Not implemented is the function in the setup of the installation and in the admin if the superadmin changes his password.

Then the Submit button, that means saving the data with password, should be disabled if the password is not secure.

As it is, an app with AppGini cannot be used in Europe because it violates the GDPR. I have only seen this now that the app is almost finished.

I would be very grateful if ahmed would create a secure password solution as soon as possible. Currently I do not know how to handle it. I don't really have the time or desire to rebuild my app with another tool.

I wonder how others here in the forum do it. There are some professionals here.

Many greetings, Kai

pbottcher
AppGini Super Hero
AppGini Super Hero
Posts: 1635
Joined: 2018-04-01 10:12

Re: worrying password issue

Post by pbottcher » 2020-11-18 07:50

I tested it on an empty system and it just works as designed. Password cannot be less than 4 char. Or if changed then the length you put in.
But this is for the signup only. Not the creation of a member through the admin interface.
Any help offered comes with the best of intentions. Use it at your own risk. In any case, please make a backup of your existing environment before applying any changes.

User avatar
a.gneady
Site Admin
Posts: 1281
Joined: 2012-09-27 14:46
Contact:

Re: worrying password issue

Post by a.gneady » 2020-11-18 11:05

I've added the password strength issue as a top priority for the next release. You should see a fix in 2-3 weeks.
Regarding direct access to uploaded files if users know the link, we'll work on handling this by adding a "gatekeeper" script that checks user credentials first before allowing the download. This won't probably make it to the next release though.
:idea: AppGini plugins to add more power to your apps:
  • DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
  • Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
  • Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.

graham
Veteran Member
Posts: 84
Joined: 2020-09-29 12:30

Re: worrying password issue

Post by graham » 2020-11-18 11:20

Well that's great! Thanks Ahmed, much appreciated. And no doubt it will be a bit more sophisticated than just 8 instead of four (for example). Once we have that, then you may have to consider 2-factor authentication because that seems to be coming the norm?

SkayyHH
Veteran Member
Posts: 425
Joined: 2015-04-27 21:18

Re: worrying password issue

Post by SkayyHH » 2020-11-18 16:06

Thank you very much for prioritizing this!

Post Reply