Does anyone know how PageKit CMS stores the admin password? I've installed it, created the account and then the password is wrong. In the database the password is hashed so I have to decrypt it or create another one using the same cryptography method.
NB: The reset password link is useless as I don't have mailing on this server.
The password is:
$2y$10$74yJFPijNzIA0ZJY4Ggy5eCRzRMhaCuj2Xw2S8fvd1yE9zZrxRU0y
and it's supposed to be "testtest".
The "password" looks like bcrypt format and that is a hash not encryption. The difference is that a hash is one-way, that is non reversible. The only choices are to run a password cracking program but the chances of success are really bad, update the password hash if possible or re-install.
If i Remove Security.salt and Security.cipherSeed value then Admin login not working.
Configure::write('Security.salt', '');
Configure::write('Security.cipherSeed', '');
Please Help
Of course the Admin login will not work. The AuthComponent needs that Strings to hash the User Data in the Session, as well for persisting passwords on the database.
Since you already have the passwords hashed on your databese, when you submit the admin login form, it will hash the password you just sent via input and compare with the database one to see if they match, if they do, permission is granted.
Considering that you deleted the salt, the hash will now have a different behavior compared to one with a provided salt, thus, it will output different hashes for the same input, which means permission is denied and will remain like this until you come back to the exact same salt.
When you bake a project with the cake bake command, it will generate and replace the default salts for you.
Remember, when you change this salts, every single password stored in the database will need to be rehashed, then you need to provide your users a way to do this, like a 'forgot my password' mechanism.
NOTE: This might appear as a optional step, but it is more like a "Must do" Configuration, and it should be done just after install. Remember that using an wide know Salt is a HUGE security flaw.
If I understand correctly, the biggest problem with sending a password via email is that it requires the password to be stored in clear text in the database. If the DB is compromised, the attackers will gain access to all accounts.
Is there a workaround for this problem?
How can one make sending a user their password via email as safe as possible?
The simple answer is: don't. If you think your database is insecure, an email is far, far less.
If you mean that you want to send them their password when they register, then you could do that before you store it in the database.
If you mean after they have registered, the only option is to store in plaintext (again, don't do this) or make a new, random password and send them that. It is impossible to get their password from the hash, which is why it makes the password storage safer. The best option is to generate a new (temporary) password you send them, or a token giving them access to a password change system.
You may want to consider a good hashing algorithm like BCrypt that includes a salt.
I don't know if my suggestion is feasible for your scenario, but you should better keep the data hashed or encrypted and send password reset links instead of plain-text passwords.
The moment the password is in cleartext in the email, it is inherently insecure.
As such, there is no safe way to send a password in cleartext safely.
You should not be storing passwords in cleartext in your database - you should be using salted hashes. When the user enters their password, you hash it with the salt and compare to the stored hash.
When people forget their password, instead of sending passwords by email, you should send reset links backed up by expiring tokens. These would generate a temporary new password (that would expire within minutes).
You should be hashing all passwords in your database.
sha1($_POST['password'].$salt.$username);
In the case of a lost password
A user requests a password reset link, which contains a hash generated in the "user_meta" table. When the user recieves this link, the hash is compared to that in the database, and the user will be able to UPDATE their current password with a new password.
The PTXT of the password is never reveiled.
You only compare hashes.
Yes, there is a common workaround.
Assuming that you have your users in your database.
You send the "password reset link" containing some "key" information, like a guid. An example link is a form:
http://your.site.com/setpassword?id=5b070092-4be8-4f4d-9952-1b915837d10f
In your database you store the mapping between sent guids and emails.
When someone opens your link, you check your database and you can find out who asks for the page - because any valid guid maps to an email. You can then safely let the user change his/her password assuming their email is not compromised.
When it's about to store the password, you never store it in plain text, you always hash passwords, using additional random salt to make the dictionary attack more difficult when someone breaks into your database.
There is a workaround which is less secure than a password reset but works if it is a requirement that users are sent a password, not a reset link.
What you do is you generate a new password that contains sufficient randomness to be very hard to guess, but is also formatted in a way that it is easy for them to remember and read out (say over the phone).
Something like: xyz-xyz-xyz-nnnn where xyz is an easy-to-spell but uncommon word and nnnn is a four digit number.
Then set it up so that this is a temporary password that needs to be changed on first login.
Set the password using the same logic you would use to set a normal password, so that it is correctly salted and hashed, and then send the password plaintext via email, like so.
Dear FirstName LastName,
You requested we reset your password.
Your new password is:
insipid-mirth-nonplus-9174
You will be able to log into the system once using this password, then you will need to enter a new password.
Important Caveats
This system has some serious vulnerabilities which make it unsuitable for websites where data security is crucial. There are more than these, but these are the ones I know/can think of:
Unlike systems which use a password reset link, this system could be used to lock someone out of the system (assuming you use it as is) unless you either require someone to fill out identifiable information before issuing the password reset, or send a "are you sure you want to reset your password?" email first. This would entail them clicking on a link with a GUID that goes to the server; at that point they may as well be sent to the password reset form anyway.
Since the password is being sent plain text via email, there is a danger it can be intercepted and the password can be used. Although to be fair this is not that much different than the risk of sending a password reset link.
If you ignore the risks in step #1 and you don't use a sufficiently random way of generating passwords (say you use a word list of fewer than 1000 items), someone who has hacked into your server will be able to retrieve the salted password hash and then write an algorithm that generates all possible passwords and checks them against the hashed password. Not as much of a problem if you use a cryptographically complex hashing algorithm.
If you want to send password to user via Email in cleartext and want to store those password into database as hash or any other format . It will be possible.......
Just you will have to follow some simple way....
1 .you will have to take those password as variable which will send from user.
2. When you store database then just convert it as you wishes format.
3. But when you send those to user by mail , That time just sent those variable password...
I think it will be helpful to build your concept about WAY.......
I am making a update password module for an application in rails. Now the problem is that I am encrypting the password before_save, and it is required that the password be between 6 to 20, so after encryption the password becomes 64 chars, but since the encryption happens after validations, the code works. Now when I want to update the password, it may so happen that the user may not want to change his password. In such a case he leaves the password field empty, but now the form will not validate. How do i get around this?
This is the simplest approach for password management - Ruby on Rails Password Hashing Module
But I would recommend you to use Authlogic
How to encrypt SALTEDHASHED password (used by Weblogic) in java?
I need to be able to hash passwords in exactly the same way as WebLogic's authenticator does. Preferably without using WebLogic's library.
30 minutes later..
I've read some documentation and if I don't know the value of the salt I can't encrypt the password in the same way of weblogic.
So, the new question is:
where weblogic stores the value of the salt? It's unique for each password or it associated one to one?
Thanks
Where does weblogic stores the value of the salt? It's unique for each password or it associated one to one?
The value of the salt is stored in SerializedSystemIni.dat, the domain's password salt file. The salt is unique for each encrypted password. You should use weblogic.security.Encrypt...