Skip to content

Secure portal passwords

Alan Bell requested to merge alanbell/vtigercrm:secure_portal_passwords into master

this requires the user_password field in the vtiger_portalinfo table to be expanded to at least 70 characters, I set mine to 255 to accomodate the hashed password. There is a minor additional change required to the customer portal to work with this, line 50 changes from

if(strtolower(result[0]['user_name']) == strtolower(username) && strtolower(result[0]['user_password']) == strtolower(password))

to

if(strtolower(result[0]['user_name']) == strtolower(username))

In a migration script as well as expanding the user_password field it should generate a salted hash for the existing passwords. to do that you would do something along the lines of:

for each $password in vtiger_portalinfo.user_pass {
        $salt='$2y$11$'.str_replace("+",".",substr(base64_encode(openssl_random_pseudo_bytes(17)),0,22));
        $password = crypt($password,$salt);
        then save it back into vtiger_portalinfo
}

Merge request reports