We may have been hacked as one of our links now goes to a dodgy site.
1. wp_users in our db: I checked our user_login, user_pass, user_email etc...
I use them to try and login to our wordpress account and it says one of them is incorrect would you like to reset password but we never receive anything in out inbox - not in junk mail, not anywhere etc...
As I say, in our db everything is correct.
How am I supposed to reagin my password?
You can change the password directly in phpmyadmin but you will need to convert it to a md5 hash string first. Just google md5 hash generator and write a password to convert, then you can paste the converted string into the password field for the desired user in the database.
Then when you are logged in, change password in wp-admin to make sure everything works as it should.
Related
I forgot my wordpress admin password but i am able to get into my DB and have the hashed password and also i have salt key from my wp-config.php file.
Does anyone know how can i get my password back from above details.
I tried doing forgot password thing but i never got email to reset password.
Open localhost/phpmyadmin
Open the database then table wp_users
Edit the corresponding row of user
Copy and keep the old password (for backup)
Edit field `user_pass' and type value
Change Type to MD5 and then update the row.
You can reset your password using database password field.
goto your database users table.
find password field. It can be seen as hash.
Generate new hash using this generator, http://www.danstools.com/md5-hash-generator/
replace new hash.
Input a new password and generate its hash.
Then update password column in the user table through MySQL database with the new generated hash.
After that you can log in to the backend using the new password.
On a blog of mine, a user asked me if I could tell him his password from that account, which happens to be the same password he used on multiple accounts, on an email which was deactived - the point is he needs that specific password.
Since the only option in the Wordpress Dashboard is to change the password, I had to look in phpmyadmin, under wp_users table at his password. The things is, the password is encrypted unde wordpress's unique encoding hash, phpass I believe, since it starts with $P$B. If it was 2008 again and wordpress would've used MD5 to enconde password in sql tables, it would have been easier.
From my knowledge I know that phpass pasword can't be decrypted, naturally, since it's a one-way encryption method. The only way would be to bruteforce it, which is out of the question.
And then, I thought about resending the user an e-mail containing the password. I searched the plugins page and found one named: 'Re-send Welcome e-mail' which still resets it eventualy.
I think that this method is plausable, because, if I change the password in the wp_users table with another one encoded in phpass, he can login with the new one, so Wordpress somehow verifies it by encoding or decoding it, or by enconding it and comparing the hash of the password entered with the one already present in the wp_users table, under that user's row.
Is there a plugin available or a turn-around to this situations? I overthinked the whole situation and now I'm out of solutions which are in my league of knowledge.
The whole idea of hashing is that you can't read the password. So no, you can't resend or retrieve the password from a hashed string besides trying bruteforce.
http://en.wikipedia.org/wiki/Cryptographic_hash_function
I modified register usercontrol with my custom fields. In this control it doesn't have password field. I am generating password randomly with Membership.GeneratePassowrd() method. I am sending email to the user after registering using Membership.Getuser(username).GetPassword() method.Every thing is fine when i kept the PassowrdFormat=Clear in web.config file. Now i want to change to passwordFormat=Hashed. But if i use the passwordFormat as Hased then it is unable to retrieve the password. Bottom line is i want to send the password to the user which is hashed one. What is the workaround for this one. I am searching in google, but no suitable answers were found. It would be great full if any one give your helping hand.
I followed these link1, link2 but didn't give any solution.
As far as I am aware it's not possible to derive the plain text password from the hashed password stored in the database. If you need to send the plain text password via e-mail then you will need to keep track of it separately.
Depending on how your code is written it could just be as straightforward as saving the result of Membership.GeneratePassword() to a string variable and ensuring you send that in the e-mail and not any password values retrieved from the database.
A customer of ours complained about login password recovery using plain text password. The only workaround I know is auto-login with encripted username and passord in the query string.
What other options exist to increase the password recovery security?
Thanks.
You can send them a URL that lets them reset the password themselves.
You could create a database table that stores, at the very minimum, a user id and a hash value.
Send the user a link that includes the hash, and on the receiving page look up the associated information and allow the user to reset the password to the account. Which I'm hoping you store in the database as a hash value. Plain text passwords should never be stored or sent out.
Just be sure that the link either expires or is deactivated once the password is changed. Otherwise someone could visit that link whenever they want and change the password.
Along the same lines as Brandon's excellent answer, here is what we do:
Do not store passwords in plain text, or even a decryptable value. Always store passwords using a 1-way hashing algorithm. This means only the user can ever know what the plain-text password is.
When a user forgets their password, present them with a form where they enter their email address, and click submit.
When they submit their email address, create a table row with 2 major pieces: The first is a password reset token (we use a Guid for this). The token should be timestamped, so that you know when it was created, and when it expires (ours expire within 2 hours of submission). The second piece is a secret code that the user will have to enter in order to reset their password.
Send an email to the user, with a link to a page that will accept the token and secret code. When they click the link (or visit the page and enter the code manually), you can then present them with a page that lets them change their password without knowing its previous value.
Using a time-constrained token is a good idea, because if the user's email account is later compromised, the criminals can't use the email to reset the password -- assuming of course that the email account is not compromised within 2 hours of the password reset request.
I wouldn't send out the actual password of the account in plain text to the user's email address. The reason for this is because if someone hacked the users email address now they have their actual password. Most likely this password will be used for other systems as well.
The alternative is to send an encrypted querystring that links to that user and allow them to change their password based on some sort of security question or demographics you have specific to that user.
Facebook uses a matching of friends images to names. If you have their DOB and address you could use that (not that secure). Or you could set up specific security question and answers which would be better.
I am developing an app which I should design a page for users who forget passwords and send email to them the new passwords. I am using ASP.NET Membership and password format should be hashed.
My problem is when sending mail has been failed, password has been changed and wow! no work can be done.
what is your solution?
You should send users an email with a link, where they can confirm password reset (otherwise you could reset passwords to other users by guessing their emails). On the linked page users would then confirm password reset (or even change it themselves).
But it's a better practice not to send passwords in any way shape or form. It's the most secure.
The process
Users request password reset by their email.
They receive an email with a link
Theyclick the link and provide a new password that gets hashed right away and stored in the system.
You could temporarily set the passwordFormat value for affected users to "Clear" in the aspnet_Membership table, assign them a password, and then work on getting the e-mail working.
Setting the aspnet_Membership.passwordFormat value to 0 changes the format to Clear text, which means it's not encrypted. It's not secure, but will allow login. After that, you can reset the password and it'll be changed back to 2 (Encrypted).
The user should change their password again, and hopefully the email will succeed.
If they entered an incorrect address, they should contact an administrator who can correct their email address.
If it is possible to tell if an e-mail is successfully sent before you actually commit the change to the database this would be a good option. This isn't always the case, but maybe it could work for your application.
Usually with my experience ASP will thrown an exception if the e-mail fails. If this happens don't do anything in the DB, if the mail goes through then change the password. That doesn't mean they will get the e-mail but you can't account for problems during travel of the e-mail anyway. The option above would apply after this fails. ;)
I don't know the support for such a feature in asp.net.
But, some website send you an email with a link to click (that expires in some days). Clicking which, will make sure you are committing to that action (i.e. password is changed only after they receive email & click the link they received).
ASP.NET also supports the question and secret answer approach to password recovery if email doesnt work.