.
Password's are MD5 hashes of the real passwords. This has been enhanced in the latest development version (I'm not sure it's been backported to latest stable version) with 'salt' characters, to make it harder to break the passwords (MD5 can be broken under certain conditions, giving enough computing power).
Saludos. Iñaki.
Saludos. Iñaki.
The "salting" is in Moodle 1.6, IIRC.
@Naresh: As Inaki says, the passwords are hashed using MD5, which is a "one-way" algorithm - it's specifically designed so that it's not possible to go backwards from the hash to the original password. You should never have a reason to want to do this, anyway. If a user forgets their password, reset it to something new for them.
It is actually possible to crack password hashes, mainly by using brute-force attacks (trying every possible password and seeing if it hashes to the same thing as the password you're after) or dictionary attacks (trying every possible password from a plausible subset such as English words). This is only possible if you have direct access to the hashes and to the "salt" (if used), and even then it takes an awful lot of computing time - as the password length increases beyond 6 characters it becomes unfeasible to crack.
@Naresh: As Inaki says, the passwords are hashed using MD5, which is a "one-way" algorithm - it's specifically designed so that it's not possible to go backwards from the hash to the original password. You should never have a reason to want to do this, anyway. If a user forgets their password, reset it to something new for them.
It is actually possible to crack password hashes, mainly by using brute-force attacks (trying every possible password and seeing if it hashes to the same thing as the password you're after) or dictionary attacks (trying every possible password from a plausible subset such as English words). This is only possible if you have direct access to the hashes and to the "salt" (if used), and even then it takes an awful lot of computing time - as the password length increases beyond 6 characters it becomes unfeasible to crack.
I'd like to add Moodle to an existing Asp.Net-site, so I need to sync user accounts somehow.
I will most probably alter my C# validation procedure. So instead of accessing my existing user database, I'll access the Moodle database, checking if
Hashfunction(name,password) equals the value in the database.
So I needt to know how the hashing is implemented. I understand it uses a standard MD5-algorithm. And you wrote the "salting" in Moodle 1.6 is IIRC.
So would this be correct?:
Hashfuction(string name, string password)
{
string Hash = "IIRC";
return MD5(Hash + password);
}
According to my experience with moodle 1.9.7, you should put the variable Hash after the password:
Hashfuction(string name, string password)
{
string Hash = "IIRC";
return MD5(password + Hash);
}
Hashfuction(string name, string password)
{
string Hash = "IIRC";
return MD5(password + Hash);
}
For anyone looking as i was.
In Moodle 2 the password is encrypted like this:
md5(password + salt);
e.g:
$password = "test";
$salt = "+-0`~@NN{e=oX+~QEbL#Wv!FNUMxs~DU"; (found in config.php)
md5($password.$salt);
Hope this helps!
This might wel be what I was looking for!
Going to try or it works for me.
Thanks for posting this!
thanks..plz tell me how i prevent user to read the articles in moodle without pay..
Hi,
I am mahender from india,i am using moodle in my organisation,i have some offline servers in some area and i am uploading the data to central server from backend,but i cannot access users in application,So, please can some body help to sort out this problem
Thanks in Advance
One of the main objectives of the md5 hash algorithm is the imposibility of recover the original string. So, teorethicaly is imposible to recover the original password using the md5 string stored on the Moodle database.
I found very useful to write a script in Perl to reset a user password from the command line of the server. Here it is
#!/usr/bin/perl -w
# set.moodle.pw.pl
# It's easier to change the password on the command line
use DBI;
use Digest::MD5 qw(md5 md5_hex);
my $dbhost = 'localhost';
my $dbname = 'moodle';
my $dbuser = 'user';
my $dbpass = 'pass';
my $nArgs = $#ARGV + 1;
die ("Usage: set.moodle.pw username password\n") if $nArgs != 2;
# Copy the $CFG->passwordsaltmain from the config.php file
my $passwordsaltmain = 'your_password_salt_main';
# Connecting, selecting database
my $dbh = DBI->connect("dbi:Pg:dbname=$dbname", "$dbuser", "$dbpass") or die('Cannot connect to database: ' . $DBI::errstr);
print "User: $ARGV[0] password: $ARGV[1]\n";
my $sSql = "UPDATE mdl_user SET password='" . md5_hex($ARGV[1],$passwordsaltmain) . "' WHERE username='" . $ARGV[0] . "';";
print "$sSql\n";
my $sth = $dbh->prepare($sSql) or die $dbh->errstr;
my $result = $sth->execute;
print "Updated $result account\n" if ($result > 0);
$dbh->disconnect;
1;
------------------------------------------------------
I hope it works for you too.
MS SQL Server 2008 solution: (I apologize for the formatting but I can't submit the post without injecting the slash into the declaration due to a firewall rule. Just remove the slash from each declaration and it'll work.)
DECLAR/E @salt VARCHAR(32)
DECLAR/E @password VARCHAR(32)
DECLAR/E @varbinary_hash VARBINARY(MAX)
DECLAR/E @hash VARCHAR(32)
SET @salt = 'YOUR_SITE_SALT_HERE'
SET @password = 'USER_PASSWORD_HERE'
SET @varbinary_hash = HASHBYTES('MD5', @password + @salt)
SET @hash = LOWER(CONVERT(VARCHAR(MAX), @varbinary_hash, 2))
How to apply salt hash technique in moodle 1.9
As i added the new salt in config.php keeping the old one but still its not working.
i:e Old salt
$CFG->passwordsaltalt2 = '3gjeQ+dA(xGOVrYTzssMiAhR[(G~v!c/(4~z';
New salt:
$CFG->passwordsaltmain = '+uSzm8#9hckHQlhr%:T&jRbp61@Wmc`5>(GaKNqM:DAG[';
Would appreciate any help regarding the salted hash.
Still no reply from anyone. (regradign salt hash technique in moodle 1.9)
Waiting for reply as its urgent.
Please let know any one where and what i have to change (Is anything in php) so it gets work.
Thanks & regards,
Amar kumawat