IPS4 and Market PHP hash fix (#727)

Force bcrypt 2y for PHP apps

2b isn't supported by older versions of PHP supplied by e.g. Ubuntu
14.04. 2a is insecure.

Remove plaintext warning

No services store plaintext passwords anymore.

Switch form to password field

services/forms.py

@@ -22,7 +22,7 @@ class FleetFormatterForm(forms.Form):
 
 
 class ServicePasswordForm(forms.Form):
-    password = forms.CharField(label=_("Password"), required=True)
+    password = forms.CharField(label=_("Password"), required=True, widget=forms.PasswordInput())
 
     def clean_password(self):
         password = self.cleaned_data['password']

services/modules/ips4/manager.py

@@ -48,7 +48,7 @@ class Ips4Manager:
 
     @staticmethod
     def _gen_pwhash(password):
-        return bcrypt.using(ident='2a').encrypt(password.encode('utf-8'), rounds=13)
+        return bcrypt.using(ident='2y').encrypt(password.encode('utf-8'), rounds=13)
 
     @staticmethod
     def _get_salt(pw_hash):

services/modules/market/manager.py

@@ -38,7 +38,7 @@ class MarketManager:
 
     @staticmethod
     def _gen_pwhash(password):
-        return bcrypt.encrypt(password.encode('utf-8'), rounds=13)
+        return bcrypt.using(ident='2y').encrypt(password.encode('utf-8'), rounds=13)
 
     @staticmethod
     def _get_salt(pw_hash):

stock/templates/registered/service_password.html

@@ -14,7 +14,6 @@
         <div class="container-fluid">
             <div class="col-md-4 col-md-offset-4">
                 <div class="row">
-                    <p>{% trans "Passwords are stored as plain text. Don't re-use another password." %}</p>
                     <form class="form-signin" role="form" action="" method="POST"
                           onsubmit="submitbutton.disabled = true; return true;">
                         {% csrf_token %}