Password providers and user registration - help! :-)

Vote:
 

I've been looking into the use of a passwordprovider that is more secure than plan text. I've now added the recommended entries in my web.config file and the system should now be set up to use MD5 security. But now I'm kind of lost, because the SDK or Programmers guide sais nothing about what I need to to now. Do I need to call the EncryptPassword() method explicitly when registering a new user, or is this handled by StarCommunity for me? The programmers handbook mentions something about writing some methods for passwordhandlers, but I understand that info is only when I write my own custom handler?

In my code behind i use the following code to register a user (Very abbrevated!)

IUser user = (IUser)StarCommunitySystem.CurrentContext.DefaultSecurity.NewUser;
Regex passwordRegex = new Regex(@"(?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*");
if(passwordRegex.IsMatch(tbPassword1.Text))
{
    if (tbPassword1.Text == tbPassword2.Text)
    {
        user.PassWord = tbPassword2.Text;
    }
}

-----------------------------

I thew in that regex for your enjoyment. It's a kickass "secure" password regex if anyone needs it. Rules:

  • minimum en stor bokstav (A-Z)
  • minimum en liten bokstav (a-z)
  • minimum ett tall (0-9)
  • minimum ett spesialtegn (!"#¤%&/=?*^)
  • Passordet må være minimum 6 tegn
  • #24672
    Oct 03, 2008 11:37
    Vote:
     

    Hi Marius!

    Actually you don't have do anything, the system will call the method for you. But keep in mind that if you have old users that registered before you set the new default provider, these users will continue to use the previous provider. This is because along with each user the system stores what provider to use.

    But you can update the provider used for a user, by setting this property on the user:

    user.PasswordProvider = 
    StarSuite.Security.PasswordProviderHandler.GetPasswordProvider(
    typeof(StarSuite.Security.HMACMD5PasswordProvider));

    However if you want to have an even more secure system, I recommend you to use:

    StarSuite.Security.HMACSHA256PasswordProvider 

    Hope this helps!

    //Tom

    #24729
    Edited, Oct 06, 2008 15:49
    Vote:
     

    Thanks!

    Clearified most of my concerns there.

    //marius

    #25212
    Edited, Oct 15, 2008 11:05
    This thread is locked and should be used for reference only. Please use the Legacy add-ons forum to open new discussions.