Welcome to WebmasterWorld Guest from 23.23.53.177

Forum Moderators: ergophobe

Message Too Old, No Replies

Lost Joomla Login

   
7:34 am on Feb 8, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The super-admin left some time ago and no user has higher access than admin - backend. Is there any way to get around this?
8:42 am on Feb 8, 2011 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



If you have access to phpMyAdmin, change the admin password to a new one (find a web page that will convert it to MD5)
3:42 pm on Feb 8, 2011 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Or change it to the same value in your user profile (using phpMyAdmin, command line, etc). That way you don't have to convert it first and for any type of backend software that isn't using what you expect (MD5, for example) the password will always work.

Hopefully that made sense :P
4:22 pm on Feb 8, 2011 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Actually coop, it took me a couple of readings to follow that, but I'm not fully awake yet.

So to put it another way... you mean for him to go into phpMyAdmin, find his own account for which he already knows the password, grab the MD5 hash of his password and, still in phpMyAdmin, paste that into the super user account.
4:51 pm on Feb 8, 2011 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Exactly. Thanks for clarifying my ill attempt ;)

The reason this method works best is that the hash/encoding may not always be md5. It will work with any hash/encoding used by the back-end application.
7:57 pm on Feb 8, 2011 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Good point. I think simple MD5 encoding is being phased out of most major CMS. Drupal for sure. Don't know about Joomla.
1:14 am on Feb 9, 2011 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I think simple MD5 encoding is being phased out of most major CMS.


What's the new standard? SHA + salted?
3:36 pm on Feb 9, 2011 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Most of the moves are for political reasons, imagine that. For example, back in 2006 NIST released this Policy on Hash Functions [csrc.nist.gov]. But most of the hoopla and discussion is centered around documents released in 2008, particularly
  • FIPS 180-3 Secure Hash Standard (SHS)
  • FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC)

You can read them on the FIPS Publications [csrc.nist.gov] page.

The hash ("encrypted") value of a password merely masks the plain text version in some form or another. Once a person has gained access to the files, they already have everything they need, on that particular site anyway. The reasoning given for some of this is that in the event somebody has this much information and is able to reverse engineer the password, now they have the plain text version along with other details of a user including name, address, username, etc. This information could be used on other sites that the user visits or uses such as online banking perhaps. You start to get the picture.

The problem that content management systems are running into is cross-application security. If one CMS changes it's hashing mechanism, but another does not, the single-sign-on feature breaks.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month