Does anyone know how PageKit CMS stores the admin password? I've installed it, created the account and then the password is wrong. In the database the password is hashed so I have to decrypt it or create another one using the same cryptography method.
NB: The reset password link is useless as I don't have mailing on this server.
The password is:
$2y$10$74yJFPijNzIA0ZJY4Ggy5eCRzRMhaCuj2Xw2S8fvd1yE9zZrxRU0y
and it's supposed to be "testtest".
The "password" looks like bcrypt format and that is a hash not encryption. The difference is that a hash is one-way, that is non reversible. The only choices are to run a password cracking program but the chances of success are really bad, update the password hash if possible or re-install.
I Create a API of reset password. and the project use yii framework so i dont get the type of password encoding Plz help me to find the type of password the password show in 128 digit
Password:
1234567 in database shown :
a711df782e24d90ff59725fa2b4ba16178676506cd411ebbd8ff2360420f8f5f728b7ab09c60358c084d634a7d3363c3f733e6746154f959767f08d2f2725afa
It is hard to say, but you can try one of these:
how to php encrypt passwords to 128 character?
The beauty of encryption is that you do not decrypt it easily, so it may be hard to find the algorithm.
But actually if you make a password reset in a project, I suppose there should be somehwere also the function for creating the passwords, so you should not guess, but find it in the project.
If i Remove Security.salt and Security.cipherSeed value then Admin login not working.
Configure::write('Security.salt', '');
Configure::write('Security.cipherSeed', '');
Please Help
Of course the Admin login will not work. The AuthComponent needs that Strings to hash the User Data in the Session, as well for persisting passwords on the database.
Since you already have the passwords hashed on your databese, when you submit the admin login form, it will hash the password you just sent via input and compare with the database one to see if they match, if they do, permission is granted.
Considering that you deleted the salt, the hash will now have a different behavior compared to one with a provided salt, thus, it will output different hashes for the same input, which means permission is denied and will remain like this until you come back to the exact same salt.
When you bake a project with the cake bake command, it will generate and replace the default salts for you.
Remember, when you change this salts, every single password stored in the database will need to be rehashed, then you need to provide your users a way to do this, like a 'forgot my password' mechanism.
NOTE: This might appear as a optional step, but it is more like a "Must do" Configuration, and it should be done just after install. Remember that using an wide know Salt is a HUGE security flaw.
I am hosting symfony project , the login password for backend.php was lost.
from phpmyadmin I see there is salted password. What data I should use to let me login?
I tried 123 with SHA1 for salt field, 123abcd for password field with SHA1, and tried to login with abcd password with no luck.
any help ?
I assume you are asking about sfDoctrineGuard? If so, you can find the code for hashing a password here: http://trac.symfony-project.org/browser/plugins/sfDoctrineGuardPlugin/trunk/lib/model/doctrine/PluginsfGuardUser.class.php#L42
In the database you should see the algorithm used for hashing. By default this would be
sha1, but this doesn't need to be the case. If it is sha1, the passwordfield should indeed be the value of sha1($salt.$password). To be clear, for a salt of '123' and the password 'abcd' the value in the database should be '50360551b49f1181e06c8244402634838c1e1a99'.
Note that there can be other things preventing you from logging in too, like a user set to inactive (see the 'is_active' field).
If I understand correctly, the biggest problem with sending a password via email is that it requires the password to be stored in clear text in the database. If the DB is compromised, the attackers will gain access to all accounts.
Is there a workaround for this problem?
How can one make sending a user their password via email as safe as possible?
The simple answer is: don't. If you think your database is insecure, an email is far, far less.
If you mean that you want to send them their password when they register, then you could do that before you store it in the database.
If you mean after they have registered, the only option is to store in plaintext (again, don't do this) or make a new, random password and send them that. It is impossible to get their password from the hash, which is why it makes the password storage safer. The best option is to generate a new (temporary) password you send them, or a token giving them access to a password change system.
You may want to consider a good hashing algorithm like BCrypt that includes a salt.
I don't know if my suggestion is feasible for your scenario, but you should better keep the data hashed or encrypted and send password reset links instead of plain-text passwords.
The moment the password is in cleartext in the email, it is inherently insecure.
As such, there is no safe way to send a password in cleartext safely.
You should not be storing passwords in cleartext in your database - you should be using salted hashes. When the user enters their password, you hash it with the salt and compare to the stored hash.
When people forget their password, instead of sending passwords by email, you should send reset links backed up by expiring tokens. These would generate a temporary new password (that would expire within minutes).
You should be hashing all passwords in your database.
sha1($_POST['password'].$salt.$username);
In the case of a lost password
A user requests a password reset link, which contains a hash generated in the "user_meta" table. When the user recieves this link, the hash is compared to that in the database, and the user will be able to UPDATE their current password with a new password.
The PTXT of the password is never reveiled.
You only compare hashes.
Yes, there is a common workaround.
Assuming that you have your users in your database.
You send the "password reset link" containing some "key" information, like a guid. An example link is a form:
http://your.site.com/setpassword?id=5b070092-4be8-4f4d-9952-1b915837d10f
In your database you store the mapping between sent guids and emails.
When someone opens your link, you check your database and you can find out who asks for the page - because any valid guid maps to an email. You can then safely let the user change his/her password assuming their email is not compromised.
When it's about to store the password, you never store it in plain text, you always hash passwords, using additional random salt to make the dictionary attack more difficult when someone breaks into your database.
There is a workaround which is less secure than a password reset but works if it is a requirement that users are sent a password, not a reset link.
What you do is you generate a new password that contains sufficient randomness to be very hard to guess, but is also formatted in a way that it is easy for them to remember and read out (say over the phone).
Something like: xyz-xyz-xyz-nnnn where xyz is an easy-to-spell but uncommon word and nnnn is a four digit number.
Then set it up so that this is a temporary password that needs to be changed on first login.
Set the password using the same logic you would use to set a normal password, so that it is correctly salted and hashed, and then send the password plaintext via email, like so.
Dear FirstName LastName,
You requested we reset your password.
Your new password is:
insipid-mirth-nonplus-9174
You will be able to log into the system once using this password, then you will need to enter a new password.
Important Caveats
This system has some serious vulnerabilities which make it unsuitable for websites where data security is crucial. There are more than these, but these are the ones I know/can think of:
Unlike systems which use a password reset link, this system could be used to lock someone out of the system (assuming you use it as is) unless you either require someone to fill out identifiable information before issuing the password reset, or send a "are you sure you want to reset your password?" email first. This would entail them clicking on a link with a GUID that goes to the server; at that point they may as well be sent to the password reset form anyway.
Since the password is being sent plain text via email, there is a danger it can be intercepted and the password can be used. Although to be fair this is not that much different than the risk of sending a password reset link.
If you ignore the risks in step #1 and you don't use a sufficiently random way of generating passwords (say you use a word list of fewer than 1000 items), someone who has hacked into your server will be able to retrieve the salted password hash and then write an algorithm that generates all possible passwords and checks them against the hashed password. Not as much of a problem if you use a cryptographically complex hashing algorithm.
If you want to send password to user via Email in cleartext and want to store those password into database as hash or any other format . It will be possible.......
Just you will have to follow some simple way....
1 .you will have to take those password as variable which will send from user.
2. When you store database then just convert it as you wishes format.
3. But when you send those to user by mail , That time just sent those variable password...
I think it will be helpful to build your concept about WAY.......