-1

how can i change the password encryption of new users in joomal. i tried to modify the 

getSalt($encryption = 'md5-hex', $seed = '', $plaintext = '')

and

getCryptedPassword($plaintext, $salt = '', $encryption = 'md5-hex', $show_encrypt = false)

of library.joomla.user.helper but by modifying these two function the old user can't log-in !

Sammitch
  • 30,782
  • 7
  • 50
  • 77
Re_Paya
  • 71
  • 8
  • 1
    I guess if you want to use 2 different encryptions you need set up some additional parameter to identify witch encrypto in needed to use currently. – Aivar Feb 01 '13 at 22:39
  • Yes actually there is an active joomla website with large number of users, another php-based website that use just md5 passwords, so i have to find a way to just store the joomla password with MD5 encryption algorithm. – Re_Paya Feb 02 '13 at 01:16

1 Answers1

1

I just looked over Joomla's source code and, while Joomla does technically already have the functionality to:

  1. Choose from a variety of better [but not by much] hashing algorithms for password storage.
  2. Store the algorithm name with the hash in case of an algorithm change.

Neither of those things are ever actually used in the code.

What this means:

  1. You can only ever change this before you do the install by modifying the $encryption = 'md5-hex' in those two function definitions.
  2. Changing it at any other time will invalidate all of your passwords, including the administrator password.

Evidence:

 $ grep -r getCryptedPassword ./*
./components/com_users/models/reset.php:                $crypted        = JUserHelper::getCryptedPassword($data['password1'], $salt);
./components/com_users/models/reset.php:                $testcrypt = JUserHelper::getCryptedPassword($data['token'], $salt);
./installation/models/configuration.php:                $crypt = JUserHelper::getCryptedPassword($options->admin_password, $salt);
./libraries/joomla/user/user.php:                       $crypt = JUserHelper::getCryptedPassword($array['password'], $salt);
./libraries/joomla/user/user.php:                               $crypt = JUserHelper::getCryptedPassword($array['password'], $salt);
./libraries/joomla/user/helper.php:     public static function getCryptedPassword($plaintext, $salt = '', $encryption = 'md5-hex', $show_encrypt = false)
./plugins/authentication/joomla/joomla.php:                     $testcrypt = JUserHelper::getCryptedPassword($credentials['password'], $salt);

You can clearly see that there is not a single call to getCryptedPassword() that specifies an 'encryption' type, so the default from the function definition is always used.

So on a fresh install, between unzipping the files and actually running the install script you can change the function definitions to:

getSalt($encryption = 'crypt-blowfish', $seed = '', $plaintext = '')
getCryptedPassword($plaintext, $salt = '', $encryption = 'crypt-blowfish', $show_encrypt = true)

Which will change the hashing algorithm to the best choice [IMO], as well as store the hash type along with the password so you can change the algorithm later without invalidating all the old passwords.

Come to think of it you might be able to change the algo right now if you first run a query like the below to specify the current algorithm.

UPDATE TABLE users
SET password = CONCAT('{MD5}', password)
WHERE password NOT LIKE '{%'

But of course you'll have to use the proper table and field names.

Sammitch
  • 30,782
  • 7
  • 50
  • 77