Turn off MD5 password hashing? Turn off MD5 password hashing?
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Turn off MD5 password hashing?

Started by SarilX, March 05, 2006, 05:23:50 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

SarilX

I noticed with my previous instalation of Coppermine ( I think it was 1.3.x something ) that I could log into myPHPAdmin and fish out user passwords directly. This was most useful for me since me and my family were a rather forgetful bunch.

Now that I'm on a new host, with 1.4.2, when I got into myPHPAdmin, all the passwords are in MD5 hash, and bruteforce reversal takes about 15 days.

Does anyone know how to turn off MD5 hashing, so that passwords are stored and able to be viewed in standard text?


Sorry, and thankyou all in advance,
Saril

Joachim Müller

"enable_encrypted_passwords" in coppermine's config table (only editable using phpMyAdmin) - set to "0". However, this will reset all your passwords, you have to reset them. Disabling password encryption is not recommended though. Instead: teach your users to use the "forgot password" link on the login screen to request a new password. Although the admin rules, it's better that he can't see user's passwords, as people tend to re-use passwords for different systems - if the admin can see user's passwords, he may be able to get access to other systems he's not suppossed to have. That's the main reason why we chose to introduce password encryption for cpg1.4.x in the first place.