balaji2u
New Member
- Messages
- 410
- Reaction score
- 2
- Points
- 0
I had my network security exams coming on next week i thought its usefull to explain about how password hashing are done in some cms applications like word press , joomla etc..
The strength of passwords, as well as their encryption mechanism, is crucial for the security of database driven applications. If you own a website constructed on a ready-made content management system architecture, the back-end administration password will always be protected by using a certain type of encryption mechanism.
In the case of the WordPress platform, as well as in that of many other content management systems, passwords are stored in the database encrypted with the MD5 encryption algorithm. This way, anyone who would crack the MySQL database login system, would not find out the plain text version of the password because MD5 is a one-way encryption algorithm. As a consequence, the login password necessary to access the WordPress administration panel cannot be recovered, just reset.
If you happen to forget the login password for a known username associated to a certain WordPress installation, there are a few methods to reset it. The simplest one would be to use the automatic script that requires you to know the username and a corresponding valid email address existing in the MySQL database.
In case the PHP installation does not have the email function enabled or the email address is not valid, the manual reset procedure must be performed. You will need an MD5 hash generator (there are many of them free and available online like Epleweb, for example) and administrative rights for the MySQL database containing WordPress data.
By using a MySQL database manager like phpMyAdmin or MySQL Query Browser, select the table called wp_users from the WordPress database, and then click the browse button and select the record that you need to edit. In the user_pass field, the MD5 hash value corresponding to the plain text version of your password must be pasted and the modifications must be saved. The password can be also reset with the help of a script.
In conclusion, it is recommended you choose an easy to remember password for your WordPress user account, one that you must change often. In case that none of the password reset mechanisms work, you will have to reinstall the WordPress application.
I would like to salute Mr.Elselver who developed a very usefull plugin for wordpress which makes password encryption in WP an extremely higher level..
The plugins name is Login Encrypt what it actually does is.
It uses a complex combination of DES and RSA. It was first developed by ELSERVER for securing login in the hosting control panel, and then released as a WordPress plugin. The way it works (fast explanation):
* A Javascript appended to the wp-login generates, each time a user logs in, a unique DES key. Using that key, the password of the user is encrypted.
* The Javascript encrypts the DES unique key using the RSA public key (generated when the plugin is activated).
* The encripted password and the encrypted DES unique key are sended to the server.
* A hook when login in checks if a encrypted DES unique key is received. If does, decrypts it using the secure RSA private key.
* Then, decrypts the password using the DES unique key.
if you need more info about cryptography or other encryption strategies like Digital Signature standards,Data encryption standard,RC4,RSA,AES,IDEA etc just PM me .. :drool:
The strength of passwords, as well as their encryption mechanism, is crucial for the security of database driven applications. If you own a website constructed on a ready-made content management system architecture, the back-end administration password will always be protected by using a certain type of encryption mechanism.
In the case of the WordPress platform, as well as in that of many other content management systems, passwords are stored in the database encrypted with the MD5 encryption algorithm. This way, anyone who would crack the MySQL database login system, would not find out the plain text version of the password because MD5 is a one-way encryption algorithm. As a consequence, the login password necessary to access the WordPress administration panel cannot be recovered, just reset.
If you happen to forget the login password for a known username associated to a certain WordPress installation, there are a few methods to reset it. The simplest one would be to use the automatic script that requires you to know the username and a corresponding valid email address existing in the MySQL database.
In case the PHP installation does not have the email function enabled or the email address is not valid, the manual reset procedure must be performed. You will need an MD5 hash generator (there are many of them free and available online like Epleweb, for example) and administrative rights for the MySQL database containing WordPress data.
By using a MySQL database manager like phpMyAdmin or MySQL Query Browser, select the table called wp_users from the WordPress database, and then click the browse button and select the record that you need to edit. In the user_pass field, the MD5 hash value corresponding to the plain text version of your password must be pasted and the modifications must be saved. The password can be also reset with the help of a script.
In conclusion, it is recommended you choose an easy to remember password for your WordPress user account, one that you must change often. In case that none of the password reset mechanisms work, you will have to reinstall the WordPress application.
I would like to salute Mr.Elselver who developed a very usefull plugin for wordpress which makes password encryption in WP an extremely higher level..
The plugins name is Login Encrypt what it actually does is.
It uses a complex combination of DES and RSA. It was first developed by ELSERVER for securing login in the hosting control panel, and then released as a WordPress plugin. The way it works (fast explanation):
* A Javascript appended to the wp-login generates, each time a user logs in, a unique DES key. Using that key, the password of the user is encrypted.
* The Javascript encrypts the DES unique key using the RSA public key (generated when the plugin is activated).
* The encripted password and the encrypted DES unique key are sended to the server.
* A hook when login in checks if a encrypted DES unique key is received. If does, decrypts it using the secure RSA private key.
* Then, decrypts the password using the DES unique key.
if you need more info about cryptography or other encryption strategies like Digital Signature standards,Data encryption standard,RC4,RSA,AES,IDEA etc just PM me .. :drool:
