Authentication

Password Encryption

 
Picture of Naresh Kumar
Password Encryption
 
I would just wondering if it would be possible to decrypt the password of the user,even the algorithm used for the encryption of the password would be helpful to me.i would appreciate any help regarding the encryption method being used smile.
 
Average of ratings: -
Picture of Iñaki Arenaza
Re: Password Encryption
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers
Password's are MD5 hashes of the real passwords. This has been enhanced in the latest development version (I'm not sure it's been backported to latest stable version) with 'salt' characters, to make it harder to break the passwords (MD5 can be broken under certain conditions, giving enough computing power).

Saludos. Iñaki.
 
Average of ratings: -
Picture of Dan Stowell
Re: Password Encryption
 
The "salting" is in Moodle 1.6, IIRC.

@Naresh: As Inaki says, the passwords are hashed using MD5, which is a "one-way" algorithm - it's specifically designed so that it's not possible to go backwards from the hash to the original password. You should never have a reason to want to do this, anyway. If a user forgets their password, reset it to something new for them.

It is actually possible to crack password hashes, mainly by using brute-force attacks (trying every possible password and seeing if it hashes to the same thing as the password you're after) or dictionary attacks (trying every possible password from a plausible subset such as English words). This is only possible if you have direct access to the hashes and to the "salt" (if used), and even then it takes an awful lot of computing time - as the password length increases beyond 6 characters it becomes unfeasible to crack.
 
Average of ratings: Useful (1)
Picture of Bart Kemps
Re: Password Encryption
 

I'd like to add Moodle to an existing Asp.Net-site, so I need to sync user accounts somehow.

I will most probably alter my C# validation procedure. So instead of accessing my existing user database, I'll access the Moodle database, checking if

Hashfunction(name,password) equals the value in the database.

So I needt to know how the hashing is implemented. I understand it uses a standard MD5-algorithm. And you wrote the "salting" in Moodle 1.6 is IIRC.

So would this be correct?:

Hashfuction(string name, string password)
{
  string Hash = "IIRC";
  return MD5(Hash + password);
}

 
Average of ratings: -
Picture of Wilder Fioramonte
Re: Password Encryption
 
According to my experience with moodle 1.9.7, you should put the variable Hash after the password:

Hashfuction(string name, string password)
{
string Hash = "IIRC";
return MD5(password + Hash);
}
 
Average of ratings: -
Picture of Alex Rapsomanikis
Re: Password Encryption
 

For anyone looking as i was.
In Moodle 2 the password is encrypted like this:

md5(password + salt);

e.g:

$password = "test";
$salt = "+-0`~@NN{e=oX+~QEbL#Wv!FNUMxs~DU"; (found in config.php)
md5($password.$salt);

Hope this helps!

 
Average of ratings: Useful (2)
Picture of Tom Adair
Re: Password Encryption
 

This might wel be what I was looking for!

Going to try or it works for me.

Thanks for posting this!

 
Average of ratings: -
Picture of ganesh babu k
Re: Password Encryption
 

thanks..plz tell me how i prevent user to read the articles in moodle without pay..

 
Average of ratings: -
Picture of mahi merugu
user access problem
 

Hi,


I am mahender from india,i am using moodle in my organisation,i have some offline servers in some area and i am uploading the data to central server from backend,but i cannot access users in application,So, please can some body help to sort out this problem

Thanks in Advance 

 
Average of ratings: -
Picture of Max De Mendizábal
Re: Password Encryption
 

One of the main objectives of the md5 hash algorithm is the imposibility of recover the original string. So, teorethicaly is imposible to recover the original password using the md5 string stored on the Moodle database.

I found very useful to write a script in Perl to reset a user password from the command line of the server. Here it is

 

#!/usr/bin/perl -w
# set.moodle.pw.pl
# It's easier to change the password on the command line

use DBI;
use Digest::MD5 qw(md5 md5_hex);

 

my $dbhost = 'localhost';
my $dbname = 'moodle';
my $dbuser = 'user';
my $dbpass = 'pass';

 

my $nArgs = $#ARGV + 1;
die ("Usage: set.moodle.pw username password\n") if $nArgs != 2;

 

# Copy the $CFG->passwordsaltmain from the config.php file
my $passwordsaltmain = 'your_password_salt_main';

 

# Connecting, selecting database

my $dbh = DBI->connect("dbi:Pg:dbname=$dbname", "$dbuser", "$dbpass") or die('Cannot connect to database: ' . $DBI::errstr);

 

print "User: $ARGV[0] password: $ARGV[1]\n";
my $sSql = "UPDATE mdl_user SET password='" . md5_hex($ARGV[1],$passwordsaltmain) . "' WHERE username='" . $ARGV[0] . "';";
print "$sSql\n";
my $sth = $dbh->prepare($sSql) or die $dbh->errstr;
my $result = $sth->execute;
print "Updated $result account\n" if ($result > 0);
$dbh->disconnect;
1;

------------------------------------------------------

I hope it works for you too.

 
Average of ratings: -
Picture of jason goodwin
Re: Password Encryption
 

MS SQL Server 2008 solution: (I apologize for the formatting but I can't submit the post without injecting the slash into the declaration due to a firewall rule.  Just remove the slash from each declaration and it'll work.)

DECLAR/E @salt VARCHAR(32)
DECLAR/E @password VARCHAR(32)
DECLAR/E @varbinary_hash VARBINARY(MAX)
DECLAR/E @hash VARCHAR(32)

SET @salt = 'YOUR_SITE_SALT_HERE'
SET @password = 'USER_PASSWORD_HERE'
SET @varbinary_hash = HASHBYTES('MD5', @password + @salt)
SET @hash = LOWER(CONVERT(VARCHAR(MAX), @varbinary_hash, 2))

 
Average of ratings: -
Picture of Amar Kumawat
Re: Password Encryption
 

How to apply salt hash technique in moodle 1.9
As i added the new salt in config.php keeping the old one but still its not working.
i:e Old salt
$CFG->passwordsaltalt2 = '3gjeQ+dA(xGOVrYTzssMiAhR[(G~v!c/(4~z';
New salt:
$CFG->passwordsaltmain = '+uSzm8#9hckHQlhr%:T&jRbp61@Wmc`5>(GaKNqM:DAG[';
Would appreciate any help regarding the salted hash.

 
Average of ratings: -
Picture of Amar Kumawat
Re: Password Encryption
 

Still no reply from anyone. (regradign salt hash technique in moodle 1.9)

Waiting for reply as its urgent.
Please let know any one where and what i have to change (Is anything in php) so it gets work.

Thanks & regards,
Amar kumawat

 
Average of ratings: -