Home > Configuration, Security > OpenERP module of the day: base_crypt (or encrypting your user password in OpenERP)

OpenERP module of the day: base_crypt (or encrypting your user password in OpenERP)

Category:WikiProject Cryptography participants

Image via Wikipedia

This is a quick post. I found this base module which is quite useful and I wanted to share it with you. The module is base_crypt and it encrypts user passwords in the OpenERP database. By  default OpenERP stores user passwords in the res_users table, they are stored in plain text in the password field. base_crypt module encrypts all passwords with the MD5 algorithm. Below is the link for downloading the module:

http://doc.openerp.com/v5.0/technical_guide/base_crypt.html

IMHO, this module should be part of core since it is a good security practice to store passwords in encrypted form. In some places it is mandated by law. It is also a nice module to look at, checking its code is fun.

Cheers!

Advertisements
  1. March 7, 2011 at 1:07 pm

    I totally agree that this should be a part of the core application, or at least be an option in the database setup wizard! (i. e. ‘security screen’ > choose password encryption > reset password).

    I didn’t realize that they weren’t being stored as md5 at first, and when I went in to the database to look around at the schema, I freaked out when I saw raw passwords just hangin out in the password column! Not used to that at all! We installed the basecrypt module right away.

    Maybe someday, for security nuts, there could be a set of modules for using PGP key signing? Especially for MRP clients who have some pretty proprietary data hanging out there. Also, folks should make sure that they learn proper webdav security before using those features in a production environment!

  2. Mike
    May 3, 2011 at 2:46 am

    MD5 isn’t encryption – it is a hash, which is an important distinction to make. Either way, there are some big problems with MD5, especially with the prevalence of extensive rainbow tables and users who use bad passwords.

    I hope this module gets updated to use SHA-X with some custom defined salt at some point in the (near) future.

    Regardless, it does what it does, and is the best publicly available solution.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: