I want to disable salt for the user passwords. Is it possible, so that password will be stored only using MD5. If not, then where will I get the salt value, so that I change it. Please help me
Hi Ashish,
if you only want to be able to reset a password in the user table, you just can use simple md5() encoding. The salt is added later while the first login.
Best regards
Andreas
The salt value is in 'config.php': $CFG->passwordsaltmain = ...
If you change it, you should also add: $CFG->passwordsaltalt1 = '[insert previous salt here]'; By adding this, the existing passwords will still work (those that stored with the previous salt value).
You can also add $CFG->passwordsaltalt2, etc. when you next change the salt (for whatever reason).
Out of curiosity, what are you hoping to achieve by disabling / changing the salt value?
Hi Ashish,
Since version 2.5, the password salting method has changed:
http://docs.moodle.org/25/en/Password_salting
From Moodle 2.5 onward Moodle automatically generates and adds a different salt for each individual user. This is more secure and means that a site-wide configuration variable for the salt is no longer required for new installations of 2.5 or greater.
You might also want to check the following thread:
https://moodle.org/mod/forum/discuss.php?d=235504#p1023177
---
The password salt is used to increase the security of a site, so why would you want to disable it?
Hello Guillermo,
Thanks for the information
Actually, I want to create a script that will insert few records in mdl_user table. So I'll have to convert the password into the format, so moodle can authenticate users. I tried Md5 and bcrypt and compared the password stored in mdl_user table, but they didn't match. Hence, I guess it must be adding some salt, so is there anyway to find the salt value in moodle 2.5 or completly disable it.
If your script for inserting users is in PHP, then you could 'require_once' the main Moodle config.php, then you would have access to the function 'hash_internal_user_password', which will generate the password field for you.
You could also consider using the built-in user upload functionality, or even insert the users into a separate database and then use the auth/db/cli/sync_users.php script to copy them into the Moodle database.
Or a webservice. I would strongly discourage from attempting to inject user records directly to Moodle database.
Hello David,
Thank you everybody for helping me.
I'm creating a normal php form with details like domain name, customer name, and logo. Once the form is submitted, I'll setup the new subdomain/account on Amazon AWS on the fly. So, I'll setup the cron which will be running every min. Once the account is setup, the moodle files will be copied along with DB tables. Now, here I want to create 2-3 users. Hence, I need to insert these users directly in mdl_user table.
Hi Shish,
as I said before you only need zo encode the new passwords with the simple md5 function from your database.
During the first login of that new account moodle reencodes the hash in the background into the new format.
So all is fine.
Best regards Andreas
Hello Andreas,
Thank you for the help. Now, I need to start studying core files of moodle so, I can overide them and make changes as per my requirement. I need to build site like open2study.com which is based, they have many modification. Could you please help me, from where I start and approximately how much it could take?
Hi Ashish,
Did you check the references I put at: https://moodle.org/mod/forum/discuss.php?d=235504#p1098645 ?
To create the correct pasword string you can use the https://quickhash.com/ site, just make sure you select the Blowfish / crypt(3) / $2y$ algorithm.