-
Notifications
You must be signed in to change notification settings - Fork 445
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password Hashing Algorithm #2342
Comments
Can you elaborate on what you would like to be done here? It may be good to add a salt to the password. |
I wanted it to be part of the documentation for now and a salt would be the desired way forward. The absolute MySQL means like above should be listed for resetting purposes. |
+1 |
@apmuthu we have a Salt... it is the user_id so each user has it's own salt |
@DawoudIO the salt should not be calculable based on data in the DB. Maybe stored in config. Php |
Yes, but usable as a fixed string in an sql statement. |
sorry guys, why can't the salt be in the db... I'm unsure of the core issue here |
Anyone with the core dump of the db will have access to the application if the salt is in the table. Hence the salt should be in the config file. For convenience, it should be insertable into an SQL statement without having to rely on PHP functions. |
@DawoudIO I was just going through a PHP application security course on Pluralsight - One of the "defense in depth" strategies mentioned is to salt sensitive data destined for the database with a salt that is not stored in the database. If SQL injection or other database compromise is exploited, this will add a layer of protection. It's not perfect, and it's not the whole solution, but it is a piece of the solution. |
how about bcrypt?
http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php |
The author of the Pluralsight course recommended bcrypt for this purpose. |
with bcrypt, it'll be very difficult to crack even one password. |
For resetting you can get password hash using phptester or something else:
And the sql:
|
The idea was to use it exclusively within MySQL without having to revert to PHP - something like:
|
It is good to have that documented, I'm hoping to have a user reset password feature this week |
I have running on wamp, windows 10 version, but I can't loging. I have typed the password from the database including the 256 hash password but no results, what gives? |
It is possible that the Password algorithm has changed in the meanwhile. Use the discussions in this thread to determine the current algorithm from the code. |
I have wamp 3.19 php 7.2.18 apache 2.39 mysql 5.7.26 windows 10. I even added a new user to mysql database and still cannot access. I edited the hashed password and saw it is "changeme", but that did not work either. I can get to the login screen, but that's where it gives me the error of wrong password and that account is locked. |
I have wamp 3.19, php 7.2.18, apache 2.39, mysql 5.7.26, windows 10, churchCRM 4.03. I even added a new user to mysql database and still cannot access. I edited the hashed password and saw it is "changeme", but that did not work either. I can get to the login screen, but that's where it gives me the error of wrong password and that account is locked. |
@calvodioni & @apmuthu - please don't comment on closed issues. Instead, open a new issue and reference this old one if you believe it provides context/relevance to your support need. The only thing I will add to this is the password reset process has been documented on our wiki for a very long time: If you are still having problems, open a new issue. Please do not add any further comments to this ticket (which also means don't reply to the Github email notification too 👍🏻) |
Changing a user's password in ChurchCRM v2.7.0 (and some if not all versions earlier as well) directly from the MySQL command prompt is done by:
The SHA256 hash of the plain text password concatenated with the
usr_per_ID
field is what is stored in theuser_usr
.usr_Password
field.The text was updated successfully, but these errors were encountered: