0

As everyone know that Drupal store password using SHA2 method which involves Encryption + Hashing + Salt on it.

I have a list of passwords which are currently used by some of my clients in Drupal. Since we have migrated the whole system to Custom PHP therefore we are unable to use the same passwords. And we really don't want to ask everyone in the database to generate a new passwords.

If there is any way, where we could change all the passwords which are in SHA2 (Drupal - 512 Encryption) to support our new system which is currently having MD5/SHA1 (PHP Mysql database).

Any help would be appreciated.

Chintan Jain
  • 3
  • 1
  • 1
    No, there isn't any way to convert them without user interactio. Is the new system so locked that you can't just use the same hashing as the old one? MD5 is insecure and SHA1 is also questionable already. – Sami Kuhmonen Jul 16 '16 at 13:18
  • We don't want to ask any of our users to reset their passwords. Since the new system is designed by us so we have the complete control on choosing the algorithm for our passwords. The whole point to do this is because our passwords, which were in Drupal, are not working in the mysql based version. – Chintan Jain Jul 16 '16 at 13:22
  • I don't understand "MySQL based compatible." The database just stores values, how does it affect the authentication? Isn't the authentication happening in your code? – Sami Kuhmonen Jul 16 '16 at 13:23
  • Let's say, one of our user has a password "testmylogin" therefore drupal would give us the hashed password based on its SHA2 algorithm. However, we want our users to still use their old passwords. All the hashed passwords are currently available in our database (as you said earlier), but there isn't anyway where we could do the authentication based on this. – Chintan Jain Jul 16 '16 at 13:27
  • Why not? You grab the exact algorithm from Drupal and use that on your new site. Problem solved, all passwords work as before and no need for any weaker hashes – Sami Kuhmonen Jul 16 '16 at 13:29
  • Password hashing is getting a lot more standardized these days. There are consistent identifiers like `$2y$10$....` which encode which algorithm is used as well as any difficulty tuning that's relevant. – tadman Jul 16 '16 at 13:30
  • http://stackoverflow.com/questions/5031662/what-is-drupals-default-password-encryption-method – Sami Kuhmonen Jul 16 '16 at 13:30
  • 2
    Welcome to Stack Overflow! You should never use a simple hash function to protect your user's passwords. You need to use a strong hashing scheme like PBKDF2, bcrypt, scrypt and Argon2. Be sure to use a high cost factor/iteration count. It is common to choose the cost so that a single iteration takes at least 100ms. See more: [How to securely hash passwords?](http://security.stackexchange.com/q/211/45523) – Artjom B. Jul 16 '16 at 18:38
  • You would be a fool to move from SHA2 to MD5. Do not do it. You aren't a security expert. Don't do it. For the love of god. – Luke Joshua Park Jul 16 '16 at 22:55
  • @LukePark this is a new user as of today for one thing. Perhaps you can rephrase things in the future. – Drew Jul 16 '16 at 23:11
  • @Drew Normally I would, but when it comes to security, there are just too many people doing it wrong and then I suffer for it. A bit more weight behind my words might make them actually listen. I appreciate your point of view, however. – Luke Joshua Park Jul 16 '16 at 23:12
  • 1
    @LukePark and junk answers are bothersome too that lead to [this](http://stackoverflow.com/questions/38297105/mysql-real-escape-string-not-working-for-this-specific-example-mysql-real-escap?noredirect=1#comment64014116_38297105) – Drew Jul 16 '16 at 23:14
  • You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 18 '16 at 21:09

4 Answers4

4

You really do not want to go to MD5. It's dead as far as a password hashing method goes. You should be moving to password_hash and something like Bcrypt at the absolute minimum.

Remember, when someone logs in and you verify their password is correct that's your chance to update how the password is hashed in the database. If they're using a weak method, switch to a strong one and save their user record. Nobody will know what you've done.

After a year or so you can always force-expire all the old-format passwords if you're concerned about that lingering liability. All of your active users will be unaffected.

tadman
  • 208,517
  • 23
  • 234
  • 262
1

I wouldn't suggest changing to another password format and especially not MD5. Since you already have the passwords you can implement the Drupal password hashing in your own application and just continue using the existing passwords.

More information about the password formats can be found for example in this question.

Community
  • 1
  • 1
Sami Kuhmonen
  • 30,146
  • 9
  • 61
  • 74
0

I think you should use a 'transition'. For example use your new system but let the old password in the database.

In your code, on user login you get the password (ex: $_POST['pwd']), and crypt it using a strong algorithm (not MD5). Then, you can insert it in a new field of your database.

So, your new database could have a field 'old_pwd' that contains the old password and a field 'pwd' that contains the new password using your new algorithm. According to me this is the easiest to do this migration.

Anthony
  • 2,014
  • 2
  • 19
  • 29
0

Password checking code is pretty similar in Drupal 7 and 8 and easy to borrow, it does not have any strong dependency on Drupal component. It should be pretty easy to add support for Drupal's hashes to your password checking code. Allowing use to authenticate using their password by storing Drupal's hashes in your database.

To migrate to your new hashing algorithm, simply re-hash passwords on successful authentication. This way, old hashes will be replaced over time.

Drupal has a similar mechanism to ensure transparent updates or old MD5 hashes. Look at the user_check_password() and user_needs_new_hash() to see how it could be done.

Pierre Buyle
  • 4,883
  • 2
  • 32
  • 31