Turn off MD5 password hashing? Turn off MD5 password hashing?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Turn off MD5 password hashing?

Started by SarilX, March 05, 2006, 05:23:50 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

SarilX

March 05, 2006, 05:23:50 AM
I noticed with my previous instalation of Coppermine ( I think it was 1.3.x something ) that I could log into myPHPAdmin and fish out user passwords directly. This was most useful for me since me and my family were a rather forgetful bunch.

Now that I'm on a new host, with 1.4.2, when I got into myPHPAdmin, all the passwords are in MD5 hash, and bruteforce reversal takes about 15 days.

Does anyone know how to turn off MD5 hashing, so that passwords are stored and able to be viewed in standard text?


Sorry, and thankyou all in advance,
Saril

Joachim Müller

#1
March 05, 2006, 12:01:44 PM
"enable_encrypted_passwords" in coppermine's config table (only editable using phpMyAdmin) - set to "0". However, this will reset all your passwords, you have to reset them. Disabling password encryption is not recommended though. Instead: teach your users to use the "forgot password" link on the login screen to request a new password. Although the admin rules, it's better that he can't see user's passwords, as people tend to re-use passwords for different systems - if the admin can see user's passwords, he may be able to get access to other systems he's not suppossed to have. That's the main reason why we chose to introduce password encryption for cpg1.4.x in the first place.
Print
Go Up Pages1
User actions