0

After migration from Typo3 4.5 to 6 then 7, 8, 9, 10 arriving to version 11, the frontend users login password don't work anymore, i thought that they will be encrypted from the upgrade process. I have spend a lot of time doing this migration process, and now discover that the passwords are stored in the database as a clear text e.g. "password123".

I have around 900 fe users that now can't access to the website. How can i fix this, is there any solution to make them work ?

Thank you!

Mohamed Masmoudi
  • 547
  • 1
  • 9
  • 23
  • 1
    Since 4.5 a lot of time has gone... Which kind of having was used in your instance? Upgrading from 4.5 to 11 is a huge step - and within the last ten years, different hashing algorithms have been dropped and replaced by (more) secure ones. – Julian Hofmann Mar 13 '22 at 18:43
  • @JulianHofmann I have done the migration throught all versions: 6.2, 7.4, 8, 9, 10, 11. – Mohamed Masmoudi Mar 13 '22 at 19:21
  • Passwords are stored as hashes for long, long time. So, nobody (and no script) is able to simply convert them to newer/other hashes. A hash is irreversible. Therefore, you cannot decode it and apply another hash algorithm to it. However, TYPO3 always supported old hash methods for a while, and the passwords were hashed with the newer hash algorithm when logging in (where they are in plain text). However, only the one password you just entered will be updated. – Julian Hofmann Mar 13 '22 at 19:49
  • @JulianHofmann Thank you for your reply, but the passwords are now stored in the database as plain clear text, they have been never encoded. – Mohamed Masmoudi Mar 13 '22 at 19:54
  • Oh, than it's pretty easy... These kinds of passwords are insecure and not supported anymore (You should never even save passwords as clear text!). With your own CLI command, you can generate a hash for the password. https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/PasswordHashing/Index.html#creating-a-hash – Julian Hofmann Mar 13 '22 at 21:51

1 Answers1

0

Maybe, implementing your own hash mechanism could help getting old passwords work again:

https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/PasswordHashing/Index.html#adding-a-new-hash-mechanism

Julian Hofmann
  • 2,081
  • 1
  • 8
  • 16