ImpressCMS Community - ImpressCMS Blog

What's your password? We don't know!

Wed, 03 Feb 2010 08:22:18 -2200

Some time ago, a user of one of my sites asked me what was his password for the site, and my reply was: "click here to change your password".

He was annoyed by this answer. He expected me to tell him "your password is...", so I had to do some public relations and explain him:

1 - I was teaching him how to do things by himself, which is much more valuable.

2 - I didn't know his password. I didn't know the password of any user.

The second point sounds strange but it's true. Your password is a very sensitive information and we know that here at ImpressCMS, so we "hide" it in a way that no-one, even the owner of a site, can access any other person's password directly.

What's the danger?

Consider a site that doesn't protect your password properly. A hacker gains access to the site. He gets all user data, including their passwords, of 5,000 people. Of all these people, 100 have a Paypal account, and 20 of them are using the same password for both the hacked site and Paypal. 15 of them have cash on their accounts.

They are screwed.

No, we're not allowing this to happen in a ImpressCMS site if possible.

What's the trick?

ImpressCMS encrypts the password before saving it in the database, so the database doesn't contain your password, only the encrypted version. The wonder of our encrypting method is that is easy to encrypt anything using it, but it's terribly hard to decrypt it.

So, when you login in your site, we don't compare the password you wrote with the one we have, because we don't have any. We encrypt the password again and compare it with the encrypted version we have in the database. That's how we know you are really you, but we don't save your password anywhere.

Am I safe?

On ImpressCMS, you're as safe as we can guarantee. To be honest, we're not the only Open Source CMS that takes special care of your password, but this is actually good news. The Open Source community, despite working on free products, takes your personal data very seriously. More seriouly, by the way, than some big fat NASDAQ corporations. If you ever suffered phone SPAM or receive calls everyday from a phone company that its not yours (it happens to me), you know what i'm talking about.

What I can tell you is that ImpressCMS developers have run "the extra mile" to offer safer encryption methods for your password. In version 1.1 we moved from old MD5 to other, much safer, methods, such as SHA.

And if time proves this is not enough, we're ready to run the extra mile again.

Best regards.

IPF Q&A Session - Thursday January 28th 4 PM GMT -5

Thu, 28 Jan 2010 19:29:35 -2200

Hi everyone,

Join me today at 4 PM GMT -5 for an ImpressCMS Persistable Framework Q&A Session:Topic: IPF Interactive Session
Date: Thursday, January 28, 2010
Time: 4:00 pm, Eastern Standard Time (New York, GMT-05:00)
Meeting Number: 573 783 666
Meeting Password: web123

-------------------------------------------------------
To join the online meeting (Now from iPhones too!)
-------------------------------------------------------
1. Go to https://inbox.webex.com/inbox/j.php ... MxMQ%3D%3D
2. Enter your name and email address.
3. Enter the meeting password: web123
4. Click "Join Now".

To view in other time zones or languages, please click the link:
https://inbox.webex.com/inbox/j.php ... MxMQ%3D%3D

-------------------------------------------------------
To join the audio conference only
-------------------------------------------------------
Call-in toll number (US/Canada): 1-408-792-6300

Access code:573 783 666

Make it go faster! Part 4 - Caught in a Loop

Thu, 21 Jan 2010 00:46:06 -2200

In all my previous posts, I used looping to execute actions multiple times, which saves code and also makes your program easier to read later on. But, used unwisely, loops can severely reduce speed and memory usage.

Let's take a real world example this time and see what kinds of things to look for.

Facebook phishing attempt

Sun, 17 Jan 2010 16:50:27 -2200

I've posted this on my blog yesterday and believe it could intersest some of you guys here...

People are getting more and more creative when it comes to fraud other people. And with today's Web technologies, there are 1000 ways to lure people and try to hijack their accounts, stole their money, etc... Today, I received what seems to be a normal email from Facebook. Someone named Linda asking if we were knowing each other:

Linda sent you a message. (no subject) Hi, have we met ever before? Linda Thanks, The Facebook Team

Cool, a new friend! However, I saw the scam 1 second later. After the message from Linda, the following was displayed:

To reply to this message, follow the link below: http://facebook-reply.mountadamajan ... tml-h1.htm

Read the full article here.

Someday, Google cache will save your ass

Sat, 16 Jan 2010 14:26:24 -2200

You've got a site. A nice website. A page you haven't touch in weeks needs a change, you go for it. You edit the content, click on save... NO, WAIT! Oh, crap! You totally screwed it!

OK, before anything else, DON'T PANIC! There's a backup somewhere, you can download a 500 Mb daily or weekly backup, open it, get the database, install it in your own computer using Xampp or something like that, access to the database using PHPMyadmin, locate the table where your content is saved, search for the appropiate row, then...

Agh, forget it, too complicated. You better look for it in Google's cache. You go to Google's Search and look for a copy of your page:

cache:www.yourwebsite.com/content?page=foobar

Google will show you a copy of your page as it was a week before, two weeks before or even a month before. But there it is. Just copy your content, go back to your website, and paste it.

That's it, Google cache saved your ass. And it was fast an easy.

IPF Q&A Session - Thursday January 14th 4 PM GMT -5

Thu, 14 Jan 2010 18:49:15 -2200

Hi everyone,

Join me today at 4 PM GMT -5 (that's in 2h and 15 minutes) for our very first ImpressCMS Persistable Framework Q&A Session:

Topic: IPF Q&A Session
Date: Thursday, January 14, 2010
Time: 4:00 pm, Eastern Standard Time (New York, GMT-05:00)
Meeting Number: 570 539 860
Meeting Password: web123

-------------------------------------------------------
To join the online meeting (Now from iPhones too!)
-------------------------------------------------------
1. Go to https://inbox.webex.com/inbox/j.php ... MxMQ%3D%3D
2. Enter your name and email address.
3. Enter the meeting password: web123
4. Click "Join Now".

To view in other time zones or languages, please click the link:
https://inbox.webex.com/inbox/j.php ... MxMQ%3D%3D

-------------------------------------------------------
To join the audio conference only
-------------------------------------------------------
Call-in toll number (US/Canada): 1-408-792-6300

Access code:570 539 860

CVSDude issues solved

Mon, 11 Jan 2010 11:06:09 -2200

The issues related to the switch from group based to role based security seem largely solved.

Underdog had a problem logging in, which is according to CVSDude linked to the SQLite backend having some problems with concurrent access.

They are doing some tests with a PostgreSQL database at the moment, to see if that resolves these intermittent issues. No timing on that yet.

We might experience this issue 'database locked' now and then, but it's an issue that has been there intermittently in the last few months, so it's safe to say it isn't related to the switch on 28 december 2009.

If you have issues with CVSDude, let me know and I'll do my best to get it solved.

ImpressCMS in 2010

Thu, 07 Jan 2010 12:11:41 -2200

I hope everyone had a nice holiday period. Lots of stuff has been going on, so I'd like to begin the year with a quick heads-up:

CVSDude You might have noticed that Trac and Subversion access was behaving in a strange way last week. Our provider of the development infrastructure (Trac, Subversion), CVSDude, did 2 concurrent changes on 28 December. A new role-based permission system was introduced, and the support methods were changed. For our account, there was a bug in the transfer from group-based permissions to role-based permissions, which took us a little more than a week to get fixed. Many thanks to Marcan to deal with CVSDude during his holidays. I'll be doing follow-up of CVSDude in a regular manner (maintenance announcements, service changes, trac/svn problems) to be better prepared for such a situation in the future.

IPF Sessions Starting this year, the IPF sessions will change slightly: marcan will make a short to-the-point video session during the week. Every week, he will host a session (limited to one hour) to repeat and discuss that week's video. The sessions are currently available on YouTube : http://bit.ly/7Azxce The discussion sessions will be held every Thursday at 5pm (GMT-5), as that is the most popular timeframe according to the poll. The next discussion session will be held on Thursday 14 January 2010. Please mark this into your calendar.

Development Release 1.2 Currently, a bug-fixing release 1.2.1 is in progress, defects for which are available at http://trac.impresscms.org/core/report/26. An important note for developers: work on 1.2.1 is done in /core/branches/impresscms_1.2 Release 1.3 Concurrently, release 1.3 has been kicked off, which is a maintenance and cleanup release. To get this release out in time (and to be able to add cool new stuff again as soon as possible), the list of defects is limited to http://trac.impresscms.org/core/report/27. Because of this, commits to the core that are not linked to any of these defects will not be accepted in the trunk, and will have to be stored in a specific branch until 1.4 development kicks off. Note for developers : work on 1.3 is done in the trunk. Please have a look at the current defects, and assign the ones you like to yourself. If you have questions or remarks, please send them to me or Marc-André and we'll try to sort things out asap.

Modules I'm aware that the very limited scope of 1.3 can be of less interest to some developers. If you're in that situation, have a look at the modules in the addon repository. Several widely used modules in there need some tender loving care to make them fully compatible with ImpressCMS 1.2. Upgrades and improvements in that area would also be most helpful.

Myblocksadmin - follow up

Thu, 31 Dec 2009 02:22:13 -2200

Now that ImpressCMS 1.2 is final, I determined I should make the necessary changes to myblocksadmin to get everything working. I previously posted some information about blocksadmin that resolved the majority of the issues, but there were still some things to finish.

Beware of XHTML

Sun, 27 Dec 2009 10:02:27 -2200

I'm not a "technology preacher". I'm not telling you "go HTML 5" or "be strict, use XHTML" or whatever. My only advice is "make an educated choice".

So, regarding what's right and wrong regarding XHTML, I recommend this article.

http://www.webdevout.net/articles/beware-of-xhtml

Worth a read.