Some time ago, a user of one of my sites asked me what was his password for the site, and my reply was: "click here to change your password".

He was annoyed by this answer. He expected me to tell him "your password is...", so I had to do some public relations and explain him:

1 - I was teaching him how to do things by himself, which is much more valuable.

2 - I didn't know his password. I didn't know the password of any user.

The second point sounds strange but it's true. Your password is a very sensitive information and we know that here at ImpressCMS, so we "hide" it in a way that no-one, even the owner of a site, can access any other person's password directly.

What's the danger?

Consider a site that doesn't protect your password properly. A hacker gains access to the site. He gets all user data, including their passwords, of 5,000 people. Of all these people, 100 have a Paypal account, and 20 of them are using the same password for both the hacked site and Paypal. 15 of them have cash on their accounts.

They are screwed.

No, we're not allowing this to happen in a ImpressCMS site if possible.

What's the trick?

ImpressCMS encrypts the password before saving it in the database, so the database doesn't contain your password, only the encrypted version. The wonder of our encrypting method is that is easy to encrypt anything using it, but it's terribly hard to decrypt it.

So, when you login in your site, we don't compare the password you wrote with the one we have, because we don't have any. We encrypt the password again and compare it with the encrypted version we have in the database. That's how we know you are really you, but we don't save your password anywhere.

Am I safe?

On ImpressCMS, you're as safe as we can guarantee. To be honest, we're not the only Open Source CMS that takes special care of your password, but this is actually good news. The Open Source community, despite working on free products, takes your personal data very seriously. More seriouly, by the way, than some big fat NASDAQ corporations. If you ever suffered phone SPAM or receive calls everyday from a phone company that its not yours (it happens to me), you know what i'm talking about.

What I can tell you is that ImpressCMS developers have run "the extra mile" to offer safer encryption methods for your password. In version 1.1 we moved from old MD5 to other, much safer, methods, such as SHA.

And if time proves this is not enough, we're ready to run the extra mile again.

Best regards.

Hi everyone,

Join me today at 4 PM GMT -5 for an ImpressCMS Persistable Framework Q&A Session:Topic: IPF Interactive Session
Date: Thursday, January 28, 2010
Time: 4:00 pm, Eastern Standard Time (New York, GMT-05:00)
Meeting Number: 573 783 666
Meeting Password: web123

-------------------------------------------------------
To join the online meeting (Now from iPhones too!)
-------------------------------------------------------
1. Go to https://inbox.webex.com/inbox/j.php ... MxMQ%3D%3D
2. Enter your name and email address.
3. Enter the meeting password: web123
4. Click "Join Now".

To view in other time zones or languages, please click the link:
https://inbox.webex.com/inbox/j.php ... MxMQ%3D%3D

-------------------------------------------------------
To join the audio conference only
-------------------------------------------------------
Call-in toll number (US/Canada): 1-408-792-6300

Access code:573 783 666

In all my previous posts, I used looping to execute actions multiple times, which saves code and also makes your program easier to read later on. But, used unwisely, loops can severely reduce speed and memory usage.

Let's take a real world example this time and see what kinds of things to look for.

I've posted this on my blog yesterday and believe it could intersest some of you guys here...

People are getting more and more creative when it comes to fraud other people. And with today's Web technologies, there are 1000 ways to lure people and try to hijack their accounts, stole their money, etc... Today, I received what seems to be a normal email from Facebook. Someone named Linda asking if we were knowing each other:

Linda sent you a message. (no subject) Hi, have we met ever before? Linda Thanks, The Facebook Team

Cool, a new friend! However, I saw the scam 1 second later. After the message from Linda, the following was displayed:

To reply to this message, follow the link below: http://facebook-reply.mountadamajan ... tml-h1.htm

Read the full article here.

You've got a site. A nice website. A page you haven't touch in weeks needs a change, you go for it. You edit the content, click on save... NO, WAIT! Oh, crap! You totally screwed it!

OK, before anything else, DON'T PANIC! There's a backup somewhere, you can download a 500 Mb daily or weekly backup, open it, get the database, install it in your own computer using Xampp or something like that, access to the database using PHPMyadmin, locate the table where your content is saved, search for the appropiate row, then...

Agh, forget it, too complicated. You better look for it in Google's cache. You go to Google's Search and look for a copy of your page:

Google will show you a copy of your page as it was a week before, two weeks before or even a month before. But there it is. Just copy your content, go back to your website, and paste it.

That's it, Google cache saved your ass. And it was fast an easy.