From bc29ff5567beead508ea551b424c53c91a40d000 Mon Sep 17 00:00:00 2001 From: Carl Schwan Date: Tue, 5 Jul 2022 11:25:44 +0200 Subject: Handle one time and large passwords For passwords bigger than 250 characters, use a bigger key since the performance impact is minor (around one second to encrypt the password). For passwords bigger than 470 characters, give up earlier and throw exeception recommanding admin to either enable the previously enabled configuration or use smaller passwords. This adds an option to disable storing passwords in the database. This might be desirable when using single use token as passwords or very large passwords. Signed-off-by: Carl Schwan --- config/config.sample.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'config') diff --git a/config/config.sample.php b/config/config.sample.php index cd96f002bc9..8c916b197b6 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -318,6 +318,21 @@ $CONFIG = [ */ 'auth.webauthn.enabled' => true, +/** + * Whether encrypted password should be stored in the database + * + * The passwords are only decrypted using the login token stored uniquely in the + * clients and allow to connect to external storages, autoconfigure mail account in + * the mail app and periodically check if the password it still valid. + * + * This might be desirable to disable this functionality when using one time + * passwords or when having a password policy enforcing long passwords (> 300 + * characters). + * + * By default the passwords are stored encrypted in the database. + */ +'auth.storeCryptedPassword' => true, + /** * By default the login form is always available. There are cases (SSO) where an * admin wants to avoid users entering their credentials to the system if the SSO -- cgit v1.2.3