Password Hashing Algorithm

[apmuthu]

Changing a user's password in ChurchCRM v2.7.0 (and some if not all versions earlier as well) directly from the MySQL command prompt is done by:

UPDATE `user_usr` SET `usr_Password` = SHA2(CONCAT("Hello123", usr_per_ID),256) WHERE usr_UserName = 'Admin';

The SHA256 hash of the plain text password concatenated with the usr_per_ID field is what is stored in the user_usr.usr_Password field.

[crossan007]

Can you elaborate on what you would like to be done here?

It may be good to add a salt to the password.

[apmuthu]

I wanted it to be part of the documentation for now and a salt would be the desired way forward. The absolute MySQL means like above should be listed for resetting purposes.

[crossan007]

+1

[DawoudIO]

@apmuthu we have a Salt... it is the user_id so each user has it's own salt

[crossan007]

@DawoudIO the salt should not be calculable based on data in the DB. Maybe stored in config. Php

[apmuthu]

Yes, but usable as a fixed string in an sql statement.

[DawoudIO]

sorry guys, why can't the salt be in the db... I'm unsure of the core issue here

[apmuthu]

Anyone with the core dump of the db will have access to the application if the salt is in the table. Hence the salt should be in the config file. For convenience, it should be insertable into an SQL statement without having to rely on PHP functions.

[crossan007]

@DawoudIO I was just going through a PHP application security course on Pluralsight - One of the "defense in depth" strategies mentioned is to salt sensitive data destined for the database with a salt that is not stored in the database.

If SQL injection or other database compromise is exploited, this will add a layer of protection.

It's not perfect, and it's not the whole solution, but it is a piece of the solution.

[apmuthu]

http://www.openwall.com/articles/PHP-Users-Passwords
http://books.lihui.org/cs/
http://www.openwall.com/phpass/
https://crypto.stackexchange.com/questions/374/how-should-i-calculate-the-entropy-of-a-password
Entropy of digits = log_2(10)=3.321928 bits.
http://www.shannonentropy.netmark.pl/
http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords
https://wwphp-fb.github.io/faq/security/php-security-issues/

[Adnan0703]

how about bcrypt?

bcrypt is a hashing algorithm which is scalable with hardware (via a configurable number of rounds). Its slowness and multiple rounds ensures that an attacker must deploy massive funds and hardware to be able to crack your passwords. Add to that per-password salts (bcrypt REQUIRES salts) and you can be sure that an attack is virtually unfeasible without either ludicrous amount of funds or hardware.

bcrypt uses the Eksblowfish algorithm to hash passwords. While the encryption phase of Eksblowfish and Blowfish are exactly the same, the key schedule phase of Eksblowfish ensures that any subsequent state depends on both salt and key (user password), and no state can be precomputed without the knowledge of both. Because of this key difference, bcrypt is a one-way hashing algorithm. You cannot retrieve the plain text password without already knowing the salt, rounds and key (password).

http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php

[crossan007]

The author of the Pluralsight​ course recommended bcrypt for this purpose.

[Adnan0703]

with bcrypt, it'll be very difficult to crack even one password.

[Adnan0703]

The absolute MySQL means like above should be listed for resetting purposes.

For resetting you can get password hash using phptester or something else:

/**
 * Note that the salt here is randomly generated.
 * Never use a static salt or one that is not randomly generated.
 *
 * For the VAST majority of use-cases, let password_hash generate the salt randomly for you
 */

$options =  [
	'cost' => 10
];
echo password_hash('new password here', PASSWORD_BCRYPT, $options);

And the sql:

UPDATE `user_usr` SET `usr_Password` = $2y$10$cVZZOhJ9TE9gTboOcJyLue/xP6RbHXGeAMvgOZFZuS5ppjKT5f6L6 WHERE usr_UserName = 'Admin';

[apmuthu]

The idea was to use it exclusively within MySQL without having to revert to PHP - something like:

UPDATE `user_usr` SET `usr_Password` = SHA2(CONCAT("Hello123", "special_random_unique_salt"),256) WHERE usr_UserName = 'Admin';

[DawoudIO]

It is good to have that documented, I'm hoping to have a user reset password feature this week

[calvodioni]

I have running on wamp, windows 10 version, but I can't loging. I have typed the password from the database including the 256 hash password but no results, what gives?

[apmuthu]

It is possible that the Password algorithm has changed in the meanwhile.
What version of WAMP, PHP, MySQL, Apache are you using and do you have the necessary OpenSSL and various hases enabled in your server stack? Also what version of ChurchCRM are you using?

Use the discussions in this thread to determine the current algorithm from the code.

[calvodioni]

I have wamp 3.19 php 7.2.18 apache 2.39 mysql 5.7.26 windows 10. I even added a new user to mysql database and still cannot access. I edited the hashed password and saw it is "changeme", but that did not work either. I can get to the login screen, but that's where it gives me the error of wrong password and that account is locked.

[calvodioni]

I have wamp 3.19, php 7.2.18, apache 2.39, mysql 5.7.26, windows 10, churchCRM 4.03. I even added a new user to mysql database and still cannot access. I edited the hashed password and saw it is "changeme", but that did not work either. I can get to the login screen, but that's where it gives me the error of wrong password and that account is locked.

[MrClever]

@calvodioni & @apmuthu - please don't comment on closed issues. Instead, open a new issue and reference this old one if you believe it provides context/relevance to your support need. The only thing I will add to this is the password reset process has been documented on our wiki for a very long time:
https://github.com/ChurchCRM/CRM/wiki/Reset-Password

If you are still having problems, open a new issue. Please do not add any further comments to this ticket (which also means don't reply to the Github email notification too 👍🏻)