CODEWITHSUNDEEP
phpmd5joomla2.5user-registration
Re_Paya
Re_Paya

Reputation: 71

Change the encryption of Joomla user registration without ruining login of pre-existing users

How can I change the password encryption of new users in Joomla? I tried to modify:

getSalt($encryption = 'md5-hex', $seed = '', $plaintext = '')

and

getCryptedPassword($plaintext, $salt = '', $encryption = 'md5-hex', $show_encrypt = false)

of library.joomla.user.helper, but by modifying these two functions, the old users can't log in!

Upvotes: -1

Views: 852

Answers (1)

Sammitch
Sammitch

Reputation: 32272

I just looked over Joomla's source code and, while Joomla does technically already have the functionality to:

  1. Choose from a variety of better [but not by much] hashing algorithms for password storage.
  2. Store the algorithm name with the hash in case of an algorithm change.

Neither of those things are ever actually used in the code.

What this means:

  1. You can only ever change this before you do the install by modifying the $encryption = 'md5-hex' in those two function definitions.
  2. Changing it at any other time will invalidate all of your passwords, including the administrator password.

Evidence:

 $ grep -r getCryptedPassword ./*
./components/com_users/models/reset.php:                $crypted        = JUserHelper::getCryptedPassword($data['password1'], $salt);
./components/com_users/models/reset.php:                $testcrypt = JUserHelper::getCryptedPassword($data['token'], $salt);
./installation/models/configuration.php:                $crypt = JUserHelper::getCryptedPassword($options->admin_password, $salt);
./libraries/joomla/user/user.php:                       $crypt = JUserHelper::getCryptedPassword($array['password'], $salt);
./libraries/joomla/user/user.php:                               $crypt = JUserHelper::getCryptedPassword($array['password'], $salt);
./libraries/joomla/user/helper.php:     public static function getCryptedPassword($plaintext, $salt = '', $encryption = 'md5-hex', $show_encrypt = false)
./plugins/authentication/joomla/joomla.php:                     $testcrypt = JUserHelper::getCryptedPassword($credentials['password'], $salt);

You can clearly see that there is not a single call to getCryptedPassword() that specifies an 'encryption' type, so the default from the function definition is always used.

So on a fresh install, between unzipping the files and actually running the install script you can change the function definitions to:

getSalt($encryption = 'crypt-blowfish', $seed = '', $plaintext = '')
getCryptedPassword($plaintext, $salt = '', $encryption = 'crypt-blowfish', $show_encrypt = true)

Which will change the hashing algorithm to the best choice [IMO], as well as store the hash type along with the password so you can change the algorithm later without invalidating all the old passwords.

Come to think of it you might be able to change the algo right now if you first run a query like the below to specify the current algorithm.

UPDATE TABLE users
SET password = CONCAT('{MD5}', password)
WHERE password NOT LIKE '{%'

But of course you'll have to use the proper table and field names.

Upvotes: 1

Related Questions