Sunday, January 29, 2012

Passwords on gRSShopper

Last night with all the indignation of the morally righteous someone wrote to me and demanded that I do exactly what they say or they would blog about how awful gRSShopper was to the world.

Let me beat him to the punch: gRSShopper is awful. I have never denied it, or claimed anything else. In fact, the most recent version is a 0.3 pre-release release.

His particular concern was that he had heard passwords were being stored as plain text. No, he didn't actually know this, he had just heard it somewhere.

Passwords are in fact stored in the database, not lying around in some plain-text file, and the database is secure and protected against access. So it's not like passwords were there for the taking, and there is no evidence whatsoever that they have ever been taken.

Despite his rudeness, though, he had a fair point about how they were stored, so last night I rewrote the logins so that passwords are encrypted when they are created, and retroactively encrypted every password in the system. This morning I also rewrote the password retrieval system so now it resets passwords instead of simply sending them (I used to encrypt passwords in the past, but actually changed it back because so many users had problems with the password reset system).

It turns out that this was not enough, and he demanded (yes, demanded, complete with bold-face commands littered thoughout his emails) a better password encryption system, one like the ones used by Drupal and Wordpress.

Because in principle, if someone hacked their way into the database, they could then use a brute-force algorithm to crack the passwords, at which point they would have access to - well, information stored in the database.

The concern of course is that people sometimes use the same password in other systems, and so if some hacker got into the gRSShopper database they could access other accounts that people have unwisely set up using the same password.

I'll tell you what. Here's the login system as it now exists in gRSShopper: click here

When I get some time in the future, I'll use full sha1 encryption and make it crack-proof. I'll also put the whole downes.ca and mooc.ca server onto HTTP Secure (https) so people can't pick your passwords out of wifi transmissions they're eavesdropping on (the https stuff he didn't mention but it has been on my mind for years).

Until then: either send me back the login script with the changes made (and don't forget they have to be backward compatible so they don't mess up user accounts even more than I messed them up yesterday), or give me a bit of a break.

gRSShopper does not have a budget. It's something I do in spite of the wishes of my employers, not at their behest. I've paid for the web server out of my own pocket for years. I've spent a lot of my own personal time (and whatever office time I could get away with) working on it. I went through a long process to get permission to release it as open source so that if people had a problem they could fix it.

It would be great if there were some support for the project, if some foundation were to give me the sort of money they give to the grant-writing experts at Stanford and MIT, if I could devote my time to working on making open learning accessible to people instead of working on private hush-hush projects for the government. But I don't have any of that kind of support, and it's even a violation of public service conflict-of-interest guidelines to apply for it (I can't publish books either, for the same reason) so I can't.

So if you have criticisms, either ask me nicely, help me out, or use something else. Don't write to me as though I'm some sort of subordinate you can demand perform this or that task just because you say so on threat of 'exposing' what a crappy software author I am. I love getting suggestions and help. I pathologically hate being given commands or ultimatums.

Oh yeah, and if you're a foundation or some big company or whatever that would like to fund my work, I'm all ears.

6 comments:

  1. Hey Stephen. I also develop free software, and I occasionally get indignant user feedback like what you've described here. It kinda makes you not want to put your free time into it anymore. I make myself feel better by reminding myself that for every single person complaining loudly, there are probably hundreds silently (and happily) using the software. Onward!

    ReplyDelete
  2. funny... i read this and wondered... what has @downes done for me lately?

    I mean... other than the daily. and the research. and... the aqueduct?

    :)

    d.

    ReplyDelete
  3. Hello Stephen,
    I am not a programmer, and I hardly have the computer skills to appreciate the code you shared with us.

    However, I do get that, when I want to express my opinion about something that I want changed, what works in an open network such as ours is 1. offer at least one solution to a problem I perceive 2. ask how I can help the person who dedicates time (priceless) and money to a structure that I am using to my benefit.

    Thank you for sharing that you are open to receiving funds. I'll keep that it in mind.

    I am beginning to gRaSp what this code is doing, and I find it extremely useful as a tool to connect people with each other and to integrate them into an (open) network.
    http://grsshopper.downes.ca/

    ReplyDelete
  4. Thanks for this post, it is truly an example of "hugging the cactus." Apparently, even "customers" of free online learning can become accustomed to always being "right."

    ReplyDelete
  5. I had no idea that some people would be so ungrateful. Thanks for your passion for free open learning.

    ReplyDelete
  6. Update. Version 0.4 of this software was released with multiple plain text files containing more 10,000 emails and plain text passwords. Security notice can be found at http://www.downes.ca/post/58827

    ReplyDelete

I welcome your comments - I'm really sorry about the moderation, but Google's filters are basically ineffective.