| 8:42 am on Feb 8, 2011 (gmt 0)|
If you have access to phpMyAdmin, change the admin password to a new one (find a web page that will convert it to MD5)
| 3:42 pm on Feb 8, 2011 (gmt 0)|
Or change it to the same value in your user profile (using phpMyAdmin, command line, etc). That way you don't have to convert it first and for any type of backend software that isn't using what you expect (MD5, for example) the password will always work.
Hopefully that made sense :P
| 4:22 pm on Feb 8, 2011 (gmt 0)|
Actually coop, it took me a couple of readings to follow that, but I'm not fully awake yet.
So to put it another way... you mean for him to go into phpMyAdmin, find his own account for which he already knows the password, grab the MD5 hash of his password and, still in phpMyAdmin, paste that into the super user account.
| 4:51 pm on Feb 8, 2011 (gmt 0)|
Exactly. Thanks for clarifying my ill attempt ;)
The reason this method works best is that the hash/encoding may not always be md5. It will work with any hash/encoding used by the back-end application.
| 7:57 pm on Feb 8, 2011 (gmt 0)|
Good point. I think simple MD5 encoding is being phased out of most major CMS. Drupal for sure. Don't know about Joomla.
| 1:14 am on Feb 9, 2011 (gmt 0)|
|I think simple MD5 encoding is being phased out of most major CMS. |
What's the new standard? SHA + salted?
| 3:36 pm on Feb 9, 2011 (gmt 0)|
Most of the moves are for political reasons, imagine that. For example, back in 2006 NIST released this Policy on Hash Functions [csrc.nist.gov]. But most of the hoopla and discussion is centered around documents released in 2008, particularly
- FIPS 180-3 Secure Hash Standard (SHS)
- FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC)
You can read them on the FIPS Publications [csrc.nist.gov] page.
The hash ("encrypted") value of a password merely masks the plain text version in some form or another. Once a person has gained access to the files, they already have everything they need, on that particular site anyway. The reasoning given for some of this is that in the event somebody has this much information and is able to reverse engineer the password, now they have the plain text version along with other details of a user including name, address, username, etc. This information could be used on other sites that the user visits or uses such as online banking perhaps. You start to get the picture.
The problem that content management systems are running into is cross-application security. If one CMS changes it's hashing mechanism, but another does not, the single-sign-on feature breaks.