dbdws wrote:
in joomla 1.5 and 2.5 when I create a user password for admin is it a md5 password or a salted md5 password by default or what. Not understanding this.
The password that Joomla creates is a salted password that is md5 encrypted. This is true for both the administrators and front end users. If you look in the user table you will see the encrypted password and the salt in the form of
password:salt While I would let Joomla create the passwords, if for some reason your going to do them offline, then you need to take the desired plain text password, add a random seeded 32 character salt to the password and md5 encrypt it. Then you store the encrypted password and the salt in the database.
Upon login Joomla takes the user entered password adds the salt from the user id password field that matches the user name entered and md5 encrypts it. Joomla then compares the result with the password encrypted result stored in the database. If they match, then the username is logged in, if not then it is a login failure.
dbdws wrote:
Also if I login to myphp admin and edit a admin user which of the dropdown password selections should I use for the most secure pw?
Is it best to use a online tool to generate a salted md5 hash pw?
You can I believe at this time only use md5 so the best way is to let Joomla create the password.
Be careful of using online password encryption sites. You are not in control of the site your using and so they could be recording the password info to put into a database of passwords to try on sites for hacking purposes.
Again, the best way is to let Joomla do it.
Also be very careful in messing around in the database password area. One wrong move and you can render yourself locked out of Joomla admin. What is viewed within the password field of the user table is an md5 encrypted password and salt. The values stored in the database are results of calculations from a known and random value Changing these values without knowing what password value created them will totally create a new unknown password and lock you out of your site.
Here is an example of a md5 password generation. This can be done from a script (servers normally have md5 encryption enabled so it is a simple matter) once a month to change the admin password. md5 passwords are normally 32 characters long.
Randomly generated Password value: nh!G02te5V!Y
randomly generated salt value:
$&oOuG%2*%l@UWn*0Ma$^nCB^MM3x$%z
which is what we add to the end of the user entered password above before we md5 the new value So now our user entered password looks like this value:
nh!G02te5V!Y$&oOuG%2*%l@UWn*0Ma$^nCB^MM3x$%z
The md5 result for the above new password text value (password and salt added together) and the md5 result is 32 characters long which is a function of md5 itself. Anyway, this is a generated value that is related to the two values above: 1e86f0e3747554809835186ba5e1d919
We take the md5 encrypted password value above and the salt to store in the database and seperate the two values by a colon so we can split them later:
1e86f0e3747554809835186ba5e1d919:$&oOuG%2*%l@UWn*0Ma$^nCB^MM3x$%z
If you take the password value and add the random salt to it then run it through a md5 encryption, you will see it matches the password part of the encryption. If you do the same with a different password (abc123) and using the same salt you will see it does not match the encrypted password part.
