[thelist] md5 hashed password problem

Jon Molesa rjmolesa at consoltec.net
Fri Nov 7 12:01:10 CST 2008


You should be able to find where the salt string is set.  It may even be
in the configuration file for your joomla site.  Setting it to an empty
value should in effect disable the addition of the salt.  I don't
personally use joomla, but there may exist a setting in the config to
turn salting on or off.  If however there is nothing about salting in
the config I would be inclined to try these things if it were me:

1) Find the salt in the code and set it to an empty value.

2) Rework the login procedure to salt passwords and update them upon
first login for known unsalted accounts.  It should also verify that the
unsalted hashed password they entered is identical to the previous
unsalted md5 hash.

Number 2 would be the way I'd most likely go.  Salting passwords is an
effective way to prevent someone from running rainbow cracks against
your database in the event they gain access to the contents.  They would
also need access to the salt string.

Oh, for this reason Joomla should let you modify the salt string.
Otherwise all someone would need to defeat the salting in the event of
db compromise is to know that you're running a specific version of
joomla.

HTH.

*On Fri, Nov 07, 2008 at 07:57:44AM -0700 Bob Meetin <bobm at dottedi.biz> wrote:

> Date: Fri, 07 Nov 2008 07:57:44 -0700
> From: Bob Meetin <bobm at dottedi.biz>
> Subject: Re: [thelist] md5 hashed password problem
> To: bobm at dottedi.biz, "thelist at lists.evolt.org" <thelist at lists.evolt.org>
> 
> Apparently yes.  See: 
> http://www.joomlaaa.com/Joomla-Articles/What-kind-of-password-encryption-used-in-Joomla-1.5.html
> 
> 
> Jon Molesa wrote:
> > Does Joomla salt the password prior to storage?
> >
> > *On Thu, Nov 06, 2008 at 01:32:30PM -0700 Bob Meetin <bobm at dottedi.biz> wrote:
> >
> >   
> >> Date: Thu, 06 Nov 2008 13:32:30 -0700
> >> From: Bob Meetin <bobm at dottedi.biz>
> >> Subject: Re: [thelist] md5 hashed password problem
> >> To: "thelist at lists.evolt.org" <thelist at lists.evolt.org>
> >>
> >> Hassan Schroeder wrote:
> >>     
> >>> <tip type="MySQL" author="Hassan Schroeder">
> >>>
> >>> MySQL password authentication changed between 4.0 and 4.1.
> >>>
> >>> For compatibility an OLD_PASSWORD function is available on 4.1 and above,
> >>> and a variable OLD_PASSWORDS = ["OFF","ON"] defines default behavior.
> >>>
> >>> If for some reason -- DB migration, consolidation of apps -- you have a
> >>> mix of old- and new-style passwords and the MySQL instance is defaulted to
> >>> the old password style, it's possible to set the OLD_PASSWORDS variable on
> >>> a per-connection basis, so as not to affect possible older clients that
> >>> need that compatibility, e.g.
> >>>
> >>>   SET OLD_PASSWORDS="OFF";
> >>>
> >>> /* Thanks to Anthony Baratta for pointing out the length difference could
> >>>    be used to determine which routine to employ.
> >>>  */
> >>>
> >>> mysql> INSERT INTO users SET user='Fred',password=PASSWORD("bananas");
> >>> Query OK, 1 row affected (0.12 sec)
> >>>
> >>> mysql> INSERT INTO users SET user='Barney',password=OLD_PASSWORD("bananas");
> >>> Query OK, 1 row affected (0.02 sec)
> >>>
> >>> mysql> SELECT * FROM users;
> >>> +----+--------+-------------------------------------------+
> >>> | id | user   | password                                  |
> >>> +----+--------+-------------------------------------------+
> >>> |  1 | Fred   | *9E303C97B1C59D393AFCCAEB156C148C1F9E0D67 |
> >>> |  2 | Barney | 0b0d276260c19cd1                          |
> >>> +----+--------+-------------------------------------------+
> >>>
> >>> mysql> SELECT IF(LENGTH(password)=16,
> >>> IF(password=OLD_PASSWORD("bananas"), true, false),
> >>> IF(password=PASSWORD("bananas"),true, false)) AS result FROM users;
> >>> +--------+
> >>> | result |
> >>> +--------+
> >>> |      1 |
> >>> |      1 |
> >>> +--------+
> >>>
> >>> mysql> SELECT IF(LENGTH(password)=16,
> >>> IF(password=OLD_PASSWORD("bagels"), true, false),
> >>> IF(password=PASSWORD("bagels"),true, false)) AS result FROM users;
> >>> +--------+
> >>> | result |
> >>> +--------+
> >>> |      0 |
> >>> |      0 |
> >>> +--------+
> >>>
> >>> More info on MySQL encryption:
> >>> <http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html>
> >>>
> >>> </tip>
> >>>   
> >>>       
> >> It's been a while since this thread has surfaced. New project, new 
> >> twist. I have a site which is growing exponentially which I originally 
> >> designed with a custom registration scheme. It's grown to the point that 
> >> we've decided to transition to Joomla 1.5+ which using a different 
> >> encryption method. Wishing we had known this in advanced using the 
> >> Joomla method now does no good. I'd rather not hack the registration 
> >> screen itself (and method) but with 800+ users something has gotta give.
> >>
> >> I can undoubtedly create a custom form in Joomla to authenticate members 
> >> by going to the old passwords first (and create a joomla password), but 
> >> I'm not clear on not clear on how to switch login forms to joomla for 
> >> those who have successfully authenticated.
> >>
> >> Or perhaps I use a 'forgot password' technique? Ideas?
> >>
> >> -- 
> >> Bob Meetin
> >>
> >>
> >> -- 
> >>
> >> * * Please support the community that supports you.  * *
> >> http://evolt.org/help_support_evolt/
> >>
> >> For unsubscribe and other options, including the Tip Harvester 
> >> and archives of thelist go to: http://lists.evolt.org 
> >> Workers of the Web, evolt ! 
> >>     
> >
> >   
> 
> 
> -- 
> Bob Meetin
> www.dottedi.biz
> 303-926-0167
> 
> Hook up with me on Twitter, Facebook, LinkedIn, Plaxo Pulse and Bebo
> or catch my blog at www.dottedi.biz/blog.php
> 
> Standards - you gotta love em - there are so many to choose from!
> 
> -- 
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester 
> and archives of thelist go to: http://lists.evolt.org 
> Workers of the Web, evolt ! 

-- 
Jon Molesa
rjmolesa at consoltec.net
if you're bored or curious
http://rjmolesa.com


More information about the thelist mailing list