Welcome to WebmasterWorld Guest from 54.196.244.186

Forum Moderators: ergophobe

Message Too Old, No Replies

Lost Joomla Login

     
7:34 am on Feb 8, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2162
votes: 0


The super-admin left some time ago and no user has higher access than admin - backend. Is there any way to get around this?
8:42 am on Feb 8, 2011 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member

joined:June 18, 2005
posts:1692
votes: 3


If you have access to phpMyAdmin, change the admin password to a new one (find a web page that will convert it to MD5)
3:42 pm on Feb 8, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


Or change it to the same value in your user profile (using phpMyAdmin, command line, etc). That way you don't have to convert it first and for any type of backend software that isn't using what you expect (MD5, for example) the password will always work.

Hopefully that made sense :P
4:22 pm on Feb 8, 2011 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 95


Actually coop, it took me a couple of readings to follow that, but I'm not fully awake yet.

So to put it another way... you mean for him to go into phpMyAdmin, find his own account for which he already knows the password, grab the MD5 hash of his password and, still in phpMyAdmin, paste that into the super user account.
4:51 pm on Feb 8, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


Exactly. Thanks for clarifying my ill attempt ;)

The reason this method works best is that the hash/encoding may not always be md5. It will work with any hash/encoding used by the back-end application.
7:57 pm on Feb 8, 2011 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 95


Good point. I think simple MD5 encoding is being phased out of most major CMS. Drupal for sure. Don't know about Joomla.
1:14 am on Feb 9, 2011 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member

joined:June 18, 2005
posts:1692
votes: 3


I think simple MD5 encoding is being phased out of most major CMS.


What's the new standard? SHA + salted?
3:36 pm on Feb 9, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


Most of the moves are for political reasons, imagine that. For example, back in 2006 NIST released this Policy on Hash Functions [csrc.nist.gov]. But most of the hoopla and discussion is centered around documents released in 2008, particularly
  • FIPS 180-3 Secure Hash Standard (SHS)
  • FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC)

You can read them on the FIPS Publications [csrc.nist.gov] page.

The hash ("encrypted") value of a password merely masks the plain text version in some form or another. Once a person has gained access to the files, they already have everything they need, on that particular site anyway. The reasoning given for some of this is that in the event somebody has this much information and is able to reverse engineer the password, now they have the plain text version along with other details of a user including name, address, username, etc. This information could be used on other sites that the user visits or uses such as online banking perhaps. You start to get the picture.

The problem that content management systems are running into is cross-application security. If one CMS changes it's hashing mechanism, but another does not, the single-sign-on feature breaks.