Gossamer Forum
(Advanced Search)
for
Home : Products : DBMan : Customization :

Password Lookup

Apr 1, 2000, 11:23 AM
Mark123
User (55 posts)
Apr 1, 2000, 11:23 AM
Post #1 of 18
Views: 3732
Shortcut
Quote Reply
Password Lookup
Hi,

I'm looking for something that will just e-mail a user's username and password to them if they've lost/forgotten it. I've seen JPDeni's unsecure and secure password lookup MODs, and I think I'm looking for a combination of the two. The MOD would read the ENCRYPTED password from the password file, and e-mail the decoded password. I suppose this is how the secure password lookup works, although that assigns a new password, which I don't want.

Basically, I need the simplicity of the unsecured password lookup, while keeping the passwords in default.pass encrypted. Also, is there a way to read the user's e-mail address from default.db or is there a reason why an extra field has to be included in the default.pass file?

I'd appreciate it if someone can help here. Thanks Smile
Apr 1, 2000, 2:14 PM
JPDeni
Veteran / Moderator (8669 posts)
Apr 1, 2000, 2:14 PM
Post #2 of 18
Views: 3712
Shortcut
Quote Reply
Re: Password Lookup In reply to
As far as I know, it can't be done. Everything I've read says that, once Perl encrypts something, there is no way to decrypt it. This is why I first made the password lookup save the unencrypted password. When I found out the hard way how dangerous that was, I wrote the new lookup mod.

If anyone knows of a way to decrypt the passwords that Perl encrypts, please let me know.

If you wanted to keep the unencrypted passwords in the password file, you could look up the email address in the .db file, especially if you used the userid as the $db_key field. (It could be done if you didn't use the userid as the $db_key, but it's a little messier.)

The advantage to having the email address within the password file is that a user might forget his password before he enters his record.


------------------
JPD





Apr 1, 2000, 4:19 PM
Mark123
User (55 posts)
Apr 1, 2000, 4:19 PM
Post #3 of 18
Views: 3645
Shortcut
Quote Reply
Re: Password Lookup In reply to
Hi,

Thanks for your response Smile I like your secure password lookup, but can you suggest an easy hack to let a new user choose their password when they register? I know that this will not ensure the validity of the e-mail address, but I want the users to be able to log in without having to check their e-mail. Thanks Smile
Apr 1, 2000, 7:14 PM
JPDeni
Veteran / Moderator (8669 posts)
Apr 1, 2000, 7:14 PM
Post #4 of 18
Views: 3636
Shortcut
Quote Reply
Re: Password Lookup In reply to
I can probably do that. You understand that, if they lose their email address, they will have to check their email.

Change the mod as follows:

In sub signup, change

Code:
#### Following lines deleted for secure_password_lookup mod
# unless ((length($in{'pw'}) >= 3) and (length($in{'pw'}) <= 12)) {
# $message = "Invalid pw: '$in{'pw'}'. Must be less then 12 and greater then 3 characters.";
# }

to

Code:
unless ((length($in{'pw'}) >= 3) and (length($in{'pw'}) <= 12)) {
$message = "Invalid pw: '$in{'pw'}'. Must be less then 12 and greater then 3 characters.";
}

Delete:

Code:
#### Following line added for secure_password_lookup mod
$in{'pw'} = &generate_password;

Delete from

Code:
#### Following fifteen lines added for secure_password_lookup mod
open (MAIL, "$mailprog") &#0124; &#0124; &cgierr("Can't start mail program");

through

Code:
close (MAIL);

In sub html_signup_form, add a field for the password:

Code:
<tr><td><Font face="Verdana, Arial, Helvetica" Size=2 Color=#003399><b>User ID:</b></FONT></td>
<td><input type="PASSWORD" name="pw" value="$in{'userid'}"></td></tr>

Change the wording in sub html_signup_form and sub html_signup_success.

This should do it.


------------------
JPD





Apr 1, 2000, 9:19 PM
Mark123
User (55 posts)
Apr 1, 2000, 9:19 PM
Post #5 of 18
Views: 3641
Shortcut
Quote Reply
Re: Password Lookup In reply to
Hi JPD,

Thanks for the patch Smile Now, has anyone tried coming up with a script that will convert a pre-JPD default.pass file into one with the e-mail address field? I suppose it should go through each line, find the corresponding username in default.db, write the e-mail address that goes with that record (writing nothing for any usernames without records), and go on to the next record. Sounds confusing? The reason I need this is because I already have over 400 users with records. I guess I could also modify the MOD to read the e-mail from the default.db file, but this sounds complicated as well. Any suggestions? Thanks Smile
Apr 2, 2000, 10:45 AM
JPDeni
Veteran / Moderator (8669 posts)
Apr 2, 2000, 10:45 AM
Post #6 of 18
Views: 3641
Shortcut
Quote Reply
Re: Password Lookup In reply to
When I've had things like this to do, I've done the editing by hand in a text editor. My concern is that, for a one-use script, it will take longer to write and debug the script than it would to do it by hand.

I'll give it a try, though.

This will be a stand-alone script -- not part of DBMan. You'll need to save it as password_fix.pl in the same directory as DBMan. Be sure to upload in ASCII mode and set your permissions to 755.

Code:
#!/usr/bin/perl
# Change the above line to reflect the path to Perl on your system.
 
$db_script_path = ".";
 
require "default.cfg"; # Change this to match your .cfg file, if needed
 
$email_fieldnum = the position of the email field in your database;
 
open (PASS, "<$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) { flock(PASS, 1) } @passwds = <PASS>;
close PASS;
 
foreach $pass (@passwds) {
next if ($pass =~ /^$/); # Skip blank lines.
next if ($pass =~ /^#/); # Skip Comment lines.
chomp ($pass);
($userid, @rest) = split (/:/, $pass);
 
open (DB, "<$db_file_name") or &cgierr("error in modify_records. unable to open db file: $db_file_name.\nReason: $!");
if ($db_use_flock) { flock(DB, 1); }
@lines = <DB>; # Slurp the database into @lines..
close DB;
DATA: foreach $line (@lines) {
@data = &split_decode($line);
if ($data[$auth_user_field] eq $userid) {
$email = $data[$email_fieldnum];
last DATA;
}
}
$output .= "$pass:$email\n";
}
 
$new_password_file = $db_script_path . "/fixed.pass";
 
open (PASS, ">$new_password_file") or &cgierr ("unable to open: $new_password_file.\nReason: $!");
if ($db_use_flock) {
flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
print PASS $output;
close PASS;
1;

You'll also need to copy sub split_decode from the db.cgi script and put it into this one.

What this should do is create a new file -- fixed.pass -- that has the old password information plus the email addresses. I haven't tested it except to check for syntax errors, which is why I did not have it rewrite your .pass file. Once you run it, take a look at your .pass file and make sure things are correct. If they are, you can delete the old .pass file and rename fixed.pass.

To run the script, use the same url as you would use for DBMan, except, use

password_fix.pl

instead of

db.cgi.


------------------
JPD







[This message has been edited by JPDeni (edited April 03, 2000).]
Apr 2, 2000, 12:55 PM
Mark123
User (55 posts)
Apr 2, 2000, 12:55 PM
Post #7 of 18
Views: 3637
Shortcut
Quote Reply
Re: Password Lookup In reply to
Carol-

You are awesome Smile I will test these out tomorrow, and let you know of the results. Thanks for everything!
Apr 3, 2000, 2:06 PM
Mark123
User (55 posts)
Apr 3, 2000, 2:06 PM
Post #8 of 18
Views: 3667
Shortcut
Quote Reply
Re: Password Lookup In reply to
Hi Carol,

I tried the password_fix.pl and it takes a couple of minutes and just prints out "output" in the fixed.pass file. My pass file is only 28k big, so that seems pretty long. Any ideas? BTW, if any other users are also trying this out, I also needed to add sub get_date from db.cgi

Thanks!
Apr 3, 2000, 2:32 PM
JPDeni
Veteran / Moderator (8669 posts)
Apr 3, 2000, 2:32 PM
Post #9 of 18
Views: 3633
Shortcut
Quote Reply
Re: Password Lookup In reply to
Well, I see why it only printed out "output" into your file. I made another typo! Smile

Code:
print PASS output;

should be

Code:
print PASS $output;

Realize that, for each name in your .pass file, the script must open the .db file, read all through all of the records and see if there is a match. It might seem a little long, but I'm not terribly surprised.

(I'll fix my typo so others won't have the same problem.)


------------------
JPD





Apr 3, 2000, 3:08 PM
Mark123
User (55 posts)
Apr 3, 2000, 3:08 PM
Post #10 of 18
Views: 3651
Shortcut
Quote Reply
Re: Password Lookup In reply to
Hmm, something's not quite right. A lot of the e-mail addresses are being repeated many times (10-15) for users they don't belong to. To clarify, there is still only one e-mail address for each line, but it the same e-mail address is repeated on the next line, and the next line, etc. Then after about 10-15 lines, it changes to another e-mail address. Thanks.
Apr 3, 2000, 3:48 PM
JPDeni
Veteran / Moderator (8669 posts)
Apr 3, 2000, 3:48 PM
Post #11 of 18
Views: 3653
Shortcut
Quote Reply
Re: Password Lookup In reply to
Could these be users who do not have an email address in the .db file?

If so, I think you can fix this by adding

Code:
$email = "";

after

Code:
foreach $pass (@passwds) {



------------------
JPD





Apr 3, 2000, 4:10 PM
Mark123
User (55 posts)
Apr 3, 2000, 4:10 PM
Post #12 of 18
Views: 3652
Shortcut
Quote Reply
Re: Password Lookup In reply to
You got it Carol! I was thinking that it wouldn't be a problem because I require an e-mail address, but I keep on forgetting that people with logins don't always make a profile! Smile BTW, I think there are a few tiny errors in your sub html_signup_form modified code:

Code:
<tr><td><Font face="Verdana, Arial, Helvetica" Size=2 Color=#003399><b>User ID:</b></FONT></td>
<td><input type="PASSWORD" name="pw" value="$in{'userid'}"></td></tr>
Should be:
Code:
<tr><td><Font face="Verdana, Arial, Helvetica" Size=2 Color=#003399><b>Password:</b></FONT></td>
<td><input type="PASSWORD" name="pw" value="$in{'pw'}"></td></tr>

I'll let you know how the whole process goes. Thanks Smile
Apr 3, 2000, 7:39 PM
JPDeni
Veteran / Moderator (8669 posts)
Apr 3, 2000, 7:39 PM
Post #13 of 18
Views: 3652
Shortcut
Quote Reply
Re: Password Lookup In reply to
If I keep trying, I usually can find what I did wrong. Smile

Thanks for noticing the error in the form. I just put those things in to keep people on their toes. (I wish!! )

Please do let me know how it works out.
Apr 4, 2000, 10:16 AM
Mark123
User (55 posts)
Apr 4, 2000, 10:16 AM
Post #14 of 18
Views: 3639
Shortcut
Quote Reply
Re: Password Lookup In reply to
Hi Carol,

Everything is up and running perfectly! I should point out that some of the records in the default.pass printed out two "::" before the e-mail field, so anyone using the script Carol provided should doublecheck to make sure everything's okay after the conversion. I also opted to leave in the mailer code, so the script sends the user an e-mail with their login info, even though they just specified it. I did this so users wouldn't have to request a new pass, but instead refer back to the e-mail, and also as a reminder to create a record if they haven't done so. Everything looks great Carol - thanks for all your help! Smile
Apr 4, 2000, 10:40 AM
benseb
User (226 posts)
Apr 4, 2000, 10:40 AM
Post #15 of 18
Views: 3663
Shortcut
Quote Reply
Re: Password Lookup In reply to
Could you post the finished mod in the resource centre please?

Ben
Apr 4, 2000, 11:30 AM
JPDeni
Veteran / Moderator (8669 posts)
Apr 4, 2000, 11:30 AM
Post #16 of 18
Views: 3636
Shortcut
Quote Reply
Re: Password Lookup In reply to
Mark, about the two "::" before the email addresses -- don't delete them without being absolutely certain that's what you want to do. Often when DBMan writes to the .pass file, if the value is "0" nothing is printed. It could be that these are lines where there is no admin permission. If you eliminate one of the ":" and an email address is there, you have just given that person admin permission on your database.


------------------
JPD





Apr 4, 2000, 3:23 PM
Mark123
User (55 posts)
Apr 4, 2000, 3:23 PM
Post #17 of 18
Views: 3642
Shortcut
Quote Reply
Re: Password Lookup In reply to
Wow Carol, you were absolutely correct! Good thing you pointed that out or else 5 of my users could have done whatever they wanted with the DB. Thank you so much...again! Wink
Apr 4, 2000, 3:28 PM
JPDeni
Veteran / Moderator (8669 posts)
Apr 4, 2000, 3:28 PM
Post #18 of 18
Views: 3647
Shortcut
Quote Reply
Re: Password Lookup In reply to
I'm really glad you mentioned it. If someone else comes along later and reads this thread, he or she might think the same thing. If you hadn't mentioned it, I wouldn't have been able to warn people about it.

It's so great when we all work together!! Smile


------------------
JPD