Is database password encryption different between 2.n & 3.n? Topic is solved
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 16
- Joined: Wed Feb 15, 2012 5:11 pm
Is database password encryption different between 2.n & 3.n?
I used the SQL command line (from server root) to set the password to the (full) database (used by several sites on this server), an act which required using the PASSWORD() function. (MariaDB refuses to use MD5() on a field set to hold passwords.)
After I did this, the Joomla! 3.n sites still worked, but all those pre-3 sites now fail to get access to the database. One site says "You are not authorised [sic] to view this resource." The others simply show the homepage, but without menus, breadcrumbs, etc., and if you try to go directly to an article, you get that not-authorized message there, too.
The problem I notice is that Joomla! uses/expects the old, insecure MD5() function, particularly when dealing with site administrators' passwords.
Is this normal? And is there any way around it? Those pre-3 sites cannot be migrated to later versions (owners don't have the resources).
And, before anyone suggests:
(1) no, no file or directory permissions changed;
(2) changing passwords within the Joomla! tables has no effect [MD5() is required: it breaks when using PASSWORD()];
(3) changing the '==' to '=' within the test in the login php script did not fix anything;
(4) administrator logins on all non-3.n Joomla! sites accept the correct user/password, but simply loop back to the login screen;
(5) the value(s) in configuration.php for each of those sites is correct—the main password is the same as the one used for the whole database (only the encryption function changed);
(6) changing config.inc.php didn't change the bad behavior, whether setting user and password, or setting it to allow connections without password.
Thanks for any help!
After I did this, the Joomla! 3.n sites still worked, but all those pre-3 sites now fail to get access to the database. One site says "You are not authorised [sic] to view this resource." The others simply show the homepage, but without menus, breadcrumbs, etc., and if you try to go directly to an article, you get that not-authorized message there, too.
The problem I notice is that Joomla! uses/expects the old, insecure MD5() function, particularly when dealing with site administrators' passwords.
Is this normal? And is there any way around it? Those pre-3 sites cannot be migrated to later versions (owners don't have the resources).
And, before anyone suggests:
(1) no, no file or directory permissions changed;
(2) changing passwords within the Joomla! tables has no effect [MD5() is required: it breaks when using PASSWORD()];
(3) changing the '==' to '=' within the test in the login php script did not fix anything;
(4) administrator logins on all non-3.n Joomla! sites accept the correct user/password, but simply loop back to the login screen;
(5) the value(s) in configuration.php for each of those sites is correct—the main password is the same as the one used for the whole database (only the encryption function changed);
(6) changing config.inc.php didn't change the bad behavior, whether setting user and password, or setting it to allow connections without password.
Thanks for any help!
- pe7er
- Joomla! Master
- Posts: 24985
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Re: Is database password encryption different between 2.n & 3.n?
In the past Joomla indeed used MD5 for encrypting its passwords. Since Joomla 3.2 Joomla uses BCrypt: https://docs.joomla.org/How_to_disable_ ... ds_feature
When a user logs in (in Joomla 3.2 or higher) and their password is still MD5 encrypted, it will be converted to a BCrypt encrypted password.
As far as I know there's no fix for Joomla 2.5 that does the same. And support for Joomla 2.5 ended December 2014, so almost 6 years ago: https://docs.joomla.org/Joomla!_CMS_versions
When a user logs in (in Joomla 3.2 or higher) and their password is still MD5 encrypted, it will be converted to a BCrypt encrypted password.
As far as I know there's no fix for Joomla 2.5 that does the same. And support for Joomla 2.5 ended December 2014, so almost 6 years ago: https://docs.joomla.org/Joomla!_CMS_versions
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
- Per Yngve Berg
- Joomla! Master
- Posts: 30930
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Is database password encryption different between 2.n & 3.n?
Is the version of php updated on the server?
J2.5 does not run on php 7.x
You must stay on 5.6
As those old php versions are removed from the server by your host, you will no longer be able to run the 2.5 sites.
J2.5 does not run on php 7.x
You must stay on 5.6
As those old php versions are removed from the server by your host, you will no longer be able to run the 2.5 sites.
-
- Joomla! Apprentice
- Posts: 16
- Joined: Wed Feb 15, 2012 5:11 pm
Re: Is database password encryption different between 2.n & 3.n?
The versions of php available on the server have been updated to include 7.x, but 5.6 wasn't removed. 7.x is the preferred version. I can still access the databases, with all the Joomla! tables and rows.
Sorry, this extends my original question, but, is there a way/is it possible to backup and remove the site's database, slip an installation of Joomla! 3.x onto that site, then update the database with the values from the original site? It's the menus and articles that I'm mainly concerned about.
All the installations of Joomla have been so stable, I've never (ever) had to contend with any breaks.
Og hilsen fra Amerika til mine norske fettere!
Sorry, this extends my original question, but, is there a way/is it possible to backup and remove the site's database, slip an installation of Joomla! 3.x onto that site, then update the database with the values from the original site? It's the menus and articles that I'm mainly concerned about.
All the installations of Joomla have been so stable, I've never (ever) had to contend with any breaks.
Og hilsen fra Amerika til mine norske fettere!
-
- Joomla! Apprentice
- Posts: 16
- Joined: Wed Feb 15, 2012 5:11 pm
Re: Is database password encryption different between 2.n & 3.n?
BTW 1, at least 3 of the sites involved were set up 7 years ago, and have been running without problem, till now. It's not going to be easy to convince the owners they need to upgrade...
BTW 2, the MySQL command-line op to set the phpMyAdmin password was completely standard:
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('new_password');
The "new_password" is exactly the same as that in the configuration.php in the web directory of each of the sites.
BTW 2, the MySQL command-line op to set the phpMyAdmin password was completely standard:
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('new_password');
The "new_password" is exactly the same as that in the configuration.php in the web directory of each of the sites.
- Per Yngve Berg
- Joomla! Master
- Posts: 30930
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Is database password encryption different between 2.n & 3.n?
It's unclear weather the issue is the username and password that Joomla uses to login to the database or the user table in Joomla for users that you login to Joomla with.
What @pe7er is talking about is users defined in Joomla.
Is the database version been updated? Cannot Joomla access the database?
https://docs.joomla.org/Joomla_and_MySQL_8
I don't know which version of MariaDB that correspond to Mysql 8.
Note: Using root user in the database is not a good idea. Create a separate user for the site.
Are all sites updated to Joomla version 2.5.28?
What @pe7er is talking about is users defined in Joomla.
Is the database version been updated? Cannot Joomla access the database?
https://docs.joomla.org/Joomla_and_MySQL_8
I don't know which version of MariaDB that correspond to Mysql 8.
Note: Using root user in the database is not a good idea. Create a separate user for the site.
Are all sites updated to Joomla version 2.5.28?
-
- Joomla! Apprentice
- Posts: 16
- Joined: Wed Feb 15, 2012 5:11 pm
Re: Is database password encryption different between 2.n & 3.n?
PROBLEM SOLVED.
It is a bug with the way the CentOS server I'm on will mistakenly propagate a resetting of the default PHP version throughout all the existing vsites, despite the fact that they already have specific PHP versions set, versions that are still installed, working and should be readily available.
Once the default PHP version was set back from 7.0 to 5.6, the Joomla! errors of all its versions (and those errors being expressed by some other software that had been installed on some vsites) disappeared.
It is a bug with the way the CentOS server I'm on will mistakenly propagate a resetting of the default PHP version throughout all the existing vsites, despite the fact that they already have specific PHP versions set, versions that are still installed, working and should be readily available.
Once the default PHP version was set back from 7.0 to 5.6, the Joomla! errors of all its versions (and those errors being expressed by some other software that had been installed on some vsites) disappeared.
- pe7er
- Joomla! Master
- Posts: 24985
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Re: Is database password encryption different between 2.n & 3.n?
Great! Good to hear that you've solved it. Thanks for sharing your solution!
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com