I need to to echo the logged in user password for some reason ...
when i use $USER->password it gives me long row of characters, it seems that these characters are encrypted, how can i echo the real password ?
thank you so much in advance ...
You can not, you are right, it is encrypted.
Well, technically it is hashed, not encrypted. Something that has been encrypted can be decrypted. Something that has been hashed cannot be.
but let's consider that:
user1 password = 123
user2 password = 123
if(user1->password == user2->password)
echo "equal";
else
echo "not equal";
what would be the output for this case ? and why ?
If user1 and user2 had the same password, then the statement would evaluate to true 
The output may be "equal" or "not equal", depending on the $CFG->passwordsaltmain setting at the time that the users set their passwords. If $CFG->passwordsaltmain was the same when both users set their passwords, then the output will be "equal".
If Moodle ever moves to a per-password salt, (e.g. see the discussion in http://moodle.org/mod/forum/discuss.php?d=120180) then the result should (with high probability) be "not equal".
If Moodle ever moves to a per-password salt, (e.g. see the discussion in http://moodle.org/mod/forum/discuss.php?d=120180) then the result should (with high probability) be "not equal".
It would help if we knew why you needed to echo the password and then we can provide advice to an alternative sollution, you cannot echo the exact password as a user would type it for obvious security reasons.
The reason it's hashed is to prevent anyone from seeing the true typed password but the system hashes the user input and matches that against the stored value.
i have one Moodle installation over 50 different databases (oracle) - i.e. one moodle for 50 schools in the same geographical area (~24000 students)
one requirement: the customer wants some admin users (assigned an admin role over the system) to be able to browse other schools through some kind of graphical interface, we prapered a 3D map for the area, and the administrator must be able to choose which school he wants to log in, when he chooses the school I want him to be logged in automatically without entering the username and password again, giving that he has the same username and password added on all databases and assigned previously the admin role on all schools databases (of course with the same username and password), i.e. something like, let's say, a root admin.
we prepared the script with hardcoded password and it worked, but when I try something like this:
<input type = hidden name="password" value="$USER->password" /> it won't log that admin onto the school he chooses !!
that's why i need a way to grab the password and provide it (along with the username) as log on credentials to the target school moodle interface ..
anyhelp would be highly appreciated !!
It sounds like you want something along the lines of Moodle Networks.
nope ...
I know about moodle networks, but in my case, it is one moodle for 50 databases.
yes, exactly as you said ...
If I understand this correctly then when the admin attempts to log in to the different install, the hashed password is being hashed again on the login check so failing to find a record.
It's not really secure but you could modify the login check to see if the refering url is in a list of trusted and then not hash the password again but they would need the account to already exist at that install. Just a thought.
Or for a more secure method look at creating an OAuth plugin
If you are using a config.php hack to switch databases and moodledata in your Moodle, then you can still use Moodle Networks (assuming you're using different URLs for each school, and not some other crazy thing to distinguish them).
The passwords are md5 hashed. If you have an database access you can get them and decode. It is quite easy, if you have a little bit of calculating power or a web service ;)
You can google the most md5 hashs and get the passwords ;)
You can google the most md5 hashs and get the passwords ;)
err... you'd need a lot of calculating power, and a lot of time. It's definitely not suitable for the use case that the OP is looking at.
Here is just one link of several available to manage this as part of code (as opposed to using web service): http://code.activestate.com/recipes/502296/
Just do a web search on MD5 hash crack ;)
This is one reason it is critical to make sure mysql does not respond on a public ip address.
Just do a web search on MD5 hash crack ;)
This is one reason it is critical to make sure mysql does not respond on a public ip address.
Yes, and you either need a lot of time and processing power, or you need your users to be using very weak passwords. His claim of "much faster alternative to Rainbow Tables and other tools such as John the Ripper or Cain and Abel" depends on having a very short word list, and users using passwords only in that word list. Which of course is bogus, because you could just create a rainbow table with just your word list, and be much faster.
Obviously one needs to make sure that their database is properly secured, not only because of password cracking possibilities, but because, well, there's sensitive data in there!
Obviously one needs to make sure that their database is properly secured, not only because of password cracking possibilities, but because, well, there's sensitive data in there!
i'm using rainbowtables, it takes some seconds till some minutes. But some Websites are faster ;)
regards martin
regards martin
If I was one of your users, I would have some expectation of privacy especially for my password..
Just because it's MD5 hashed and you can either crack it or look it up in a rainbow table - doesn't mean you should..
Just because it's MD5 hashed and you can either crack it or look it up in a rainbow table - doesn't mean you should..
"some minutes" is too long for a single sign-on solution. And your rainbow tables won't work against a long-enough/good-enough password.
Anyways, Moodle really does need to switch to per-password salting (and a stronger hash function).
Anyways, Moodle really does need to switch to per-password salting (and a stronger hash function).
Regardless of how possible/resource intensive this is, it should be highlighted that it is a very bad idea to transmit your passwords over HTTP in plain text from a security point of view. I'd recommend you look for a solution which doesn't require the user's password to be transmitted.
Very bad indeed...and this is only the tip of the iceberg.
Has this been fixed in the export as that's where the real security issue lies as far as I can see. A teacher should not be able to export all users from the site only the courses that they teach on, or is it due to the admin being enrolled on a course which is always a bad idea?
But very alarming.
Nice point James, just because you can, doesn't mean that you should!
I just checked our Moodle install out for vulnerability to this exploit. It turns out we're pretty safe - here's why:
- The vast majority of our accounts are authenticated using LDAP - no passwords stored in Moodle.
- Teachers don't have the capability of enrolling students themselves - this is handled by the flatfile enrolment plugin.
- The passwords that are stored in Moodle are the admin account and test accounts - the former has a strong password, and the latter have no permissions to speak of.
Well, let's relativize it ... this exploit do work if the admin password is within a dictionnary of common words or simple keyboard sequences (azerty, 123456...) which I hope nobody will use
As an example go to a cracker such as http://md5crack.com/crackmd5.php
type in 'dougiamas' and ask him to to generate hash password to get
md5("dougiamas") = e077c758ac5e506015f09d63f0afc11e
then copy/paste e077c758ac5e506015f09d63f0afc11e into the input area and ask him 'crack this hash baby!' to see
Sorry guess we couldn't find it.
So Martin, you are not famous enough to be in a dictionnary
neither me BTW ;-(
As an example go to a cracker such as http://md5crack.com/crackmd5.php
type in 'dougiamas' and ask him to to generate hash password to get
md5("dougiamas") = e077c758ac5e506015f09d63f0afc11e
then copy/paste e077c758ac5e506015f09d63f0afc11e into the input area and ask him 'crack this hash baby!' to see
Sorry guess we couldn't find it.
So Martin, you are not famous enough to be in a dictionnary
This hash seek in video does find "dougiamas" and can handle long passwords like 123456789012345678901234567890 but seems to fail with simple passwords like "teståäö" - we could actually use http://gdataonline.com/seekhash.php in good purpose to test our password MD5 hash strength with some non a-z and 0-9 characters 
In a long run MD5 hashing should be replaced with some better hashing method...
Maybe moodle could have something similar like
http://www.microsoft.com/protect/fraud/passwords/checker.aspx
to test user password strength...
In addition to that, I'd like to remember that moodle currently has a password policy setting where you can impose some constraints on users passwords (minimum length, at least that many digits, at least that many symbols, that many lower case letters, etc.).
You can find it under Administration >> Security >> Site Policies.
Saludos, Iñaki.
So the tools are in moodle already but not in use - Password Policy should be in default value "Yes" and after that change all users should be required to change their passwords to fulfill given rules...
Old weak passwords do work also after Password Policy setting is changed to Yes but it is useless if people are not inquired to change also their old passwords strong enough.
Old weak passwords do work also after Password Policy setting is changed to Yes but it is useless if people are not inquired to change also their old passwords strong enough.
Isn't that already in place with Security#Password_policy//Site_policies#Password_policy?
Drupal uses a jQuery based live password strength check to give the user instant feedback and hints how to improve the password strength (http://api.drupal.org/api/function/_user_password_dynamic_validation/6).
Frank
Drupal uses a jQuery based live password strength check to give the user instant feedback and hints how to improve the password strength (http://api.drupal.org/api/function/_user_password_dynamic_validation/6).
Frank