Jump to content

Salt & password


Wildhorse

Value of this forum.  

4 members have voted

You do not have permission to vote in this poll, or see the poll results. Please sign in or register to vote in this poll.

Recommended Posts

Can someone please explain how to create the salt and password using phpMyAdmin?

Is the salt truly a random number (6 chars?) or is it based upon some other field (or fields) in the admin user record? If it is based on other fields. which ones and what function (encryption) is used?

Re: the password, once the salt is generated (whether random or encrypted) is it prepended or appended to the plain text password. In other words, if the salt is 123456 and the desired password is PassWord, is the value entered into the password field 123456PassWord or PassWord123456? And again, what encryption function is used to process the plain text password to get the encrypted password.

A REAL explanation of this would really help a lot of people, especially since the "Request Password" function seems to be a joke (as is so much of CubeCart).

Link to comment
Share on other sites

Can someone please explain how to create the salt and password using phpMyAdmin?

Is the salt truly a random number (6 chars?) or is it based upon some other field (or fields) in the admin user record? If it is based on other fields. which ones and what function (encryption) is used?

Re: the password, once the salt is generated (whether random or encrypted) is it prepended or appended to the plain text password. In other words, if the salt is 123456 and the desired password is PassWord, is the value entered into the password field 123456PassWord or PassWord123456? And again, what encryption function is used to process the plain text password to get the encrypted password.

A REAL explanation of this would really help a lot of people, especially since the "Request Password" function seems to be a joke (as is so much of CubeCart).

Why do you wish to override the built-in feature and do this in phpMyAdmin?

The code uses MD5 to create a 1-way hash of the password. The salt is randomly generated.

It sounds like you mis-understand the function of this forum. This is for peer-to-peer support. Moderators are unpaid and receive no benefits. Support is from helpful other users, who provide this out of goodwill.

If you need technical support, then the option is to purchase a support plan or contact a commercial developer at CubeCartForums.org

The best way to get a response here, is NOT to add sarcastic comments, and simply to explain the background to your question and provide as much info as possible.

Thank-you

Jason

Link to comment
Share on other sites

Can someone please explain how to create the salt and password using phpMyAdmin?

Once you get into the table and table cells that holds the salt and password for a given customer record, enter a random number into the salt cell. Remember what you typed in. (See edit below.) Near the cell's boundaries, there will be an indication of sorts that will enable you to apply a function against the contents. I've been told there is a drop-down of some sort. Expose the list of functions (click a down-arrow?) and select MD5. Copy this 32-character value somewhere (a simple text editor will do). Now replace the MD5 value with the original salt value you first entered.

Do the exact same thing in the Password field, entering a known password. MD5 it. Copy the MD5 value to the end of the MD5'd salt value so that you now have a 64 character long value. Paste that back into the password field and MD5 that.

Your final password should now take the form of a 32-character value that is the MD5 of... the MD5'd salt with the MD5'd password appended. The salt field should be the random number you chose.

Is the salt truly a random number (6 chars?)
Yes.
or is it based upon some other field (or fields) in the admin user record?
No.

A REAL explanation of this would really help a lot of people,
I hope the above helps.
especially since the "Request Password" function seems to be a joke

Could you elaborate on the difficulty?

* Are you not receiving a new password by email? (The email address must be on-record and the new pass will be sent there.)

* You are receiving the email but the new password doesn't work?

* The captcha anti-bot device is preventing the Forgot Password page from working? (Needs javascript working.)

EDIT: Go here for a visual tutorial for CC3, but the process is nearly identical for CC4. It seems phpMyAdmin gives you the MD5 value after you hit the Go button. Also, you don't need to use phpMyAdmin to get your MD5s. There are plenty of MD5 converters on the web.

(Ignore the fact that the conversation is about "No Administration Session was found.")

Link to comment
Share on other sites

Your answer is EXACTLY why I posted the poll. Instead of giving some real help, you sarcastically ask my why I would want to do something the YOU BELIEVE works. Although I didn't state it this way, it's obvious from my statements that there I'm having a problem with the "Request Password" function.

Instead of answering my question, you take the easy way and repeat what has been said time and again in this forum and in the manual. When a person sees the same problem (issues with admin logins) posted over and over, it warrants some deeper answers.

I have no idea who you are or your relationship to CC. It does seem to me that some of the responses come from CC employees and it does seem that they sometimes tout "the company line", encouraging people to spend money for support. I have no problem spending money for support and/or expertise (I do it virtually every day), but only after I've made reasonable efforts in other places. And when a forum exists supposedly to assist CC users, sometimes some in depth explanations are warranted.

Compare your response to bsmither's response. He made a REAL effort to explain not only a solution, but the theory behind it. I would suggest that the size of the forum would be reduced considerably if more answers were as detailed as his.

To bsmither, there seems to be something amiss with my "Request Password" function. I do get an email with a new password, but when the new password is used, CC just returns me to the admin login screen. No message about an incorrect login, just a return to the login screen. Since I was having this problem, I thought it might be worthwhile to try a different approach. In addition, it certainly doesn't hurt to understand as much about the program as possible. Thanks for your detailed response. I'll post the results so everyone who reads this will benefit from the detailed information.

BTW, I am guilty of leaving out information: CC version 4.3.8, PHP 5.2.10, MySQL 5.1.34, phpMyAdmin 3.2.0.1, running on a dedicated FreeBSD server (not a virtual server or a hosting service) and Apache 2.2.3

Can someone please explain how to create the salt and password using phpMyAdmin?

Is the salt truly a random number (6 chars?) or is it based upon some other field (or fields) in the admin user record? If it is based on other fields. which ones and what function (encryption) is used?

Re: the password, once the salt is generated (whether random or encrypted) is it prepended or appended to the plain text password. In other words, if the salt is 123456 and the desired password is PassWord, is the value entered into the password field 123456PassWord or PassWord123456? And again, what encryption function is used to process the plain text password to get the encrypted password.

A REAL explanation of this would really help a lot of people, especially since the "Request Password" function seems to be a joke (as is so much of CubeCart).

Why do you wish to override the built-in feature and do this in phpMyAdmin?

The code uses MD5 to create a 1-way hash of the password. The salt is randomly generated.

It sounds like you mis-understand the function of this forum. This is for peer-to-peer support. Moderators are unpaid and receive no benefits. Support is from helpful other users, who provide this out of goodwill.

If you need technical support, then the option is to purchase a support plan or contact a commercial developer at CubeCartForums.org

The best way to get a response here, is NOT to add sarcastic comments, and simply to explain the background to your question and provide as much info as possible.

Thank-you

Jason

Link to comment
Share on other sites

I do get an email with a new password, but when the new password is used, CC just returns me to the admin login screen. No message about an incorrect login, just a return to the login screen.

Well, I am pretty good with CC3, not so much with CC4. But I would like you to try any or all of these:

* Go to the login screen. In the browser's address bar, manually change the URI part that says 'login' to 'logout' and click your browser's Go There button (or press return). That should cause CC4 to log you out if you have any stray cookies on your machine that is keeping you from creating another admin session. May have to do this two or three times.

* Find and manually delete any cookies in your browser related to the domain of your store.

* (If you have triggered CC's "Brute Force Blocker" function, and even though you should have received a message saying so) In phpMyAdmin, see if your admin user record has anything in the 'failLevel' (should be 1) and 'blockTime' (should be 0) fields.

* Try logging in on another computer that is not using any kind of cookie blockers. (Including IE7/8)

I've looked at CC4 login code and can't (yet) determine a scenario that would send you back to the login screen with no messages. Is this a trial CC4 install? Have you had your store for a while and this just happened? Have you activated your license for CC4? (Don't know if that makes a difference.)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...