I need to import users from Wordpress to SMF.
I have access to database, we all passwords hashes from smf and WP, but I cant figure it out how to convert them to be albe to clone account with those 2 engines.
Any clue how to do that?
You're not going to be able to. Passwords are hashed in wordpress and SMF and cannot be retrieved.
The best thing to do is just store the password they have now and then send an email out to all people saying that to log in, they'll have to change their password. They won't be able to get in until that's done.
Related
I'm looking for a way to make Moodle 2.9 include user passwords in the introductory e-mails it sends upon manual upload of CSV table with new user data.
So far it is sending introductory e-mails with text that is set up in the local_welcome plugin that is configurable via
Plugins/Local Plugins/Moodle welcome
This text contains fields such as [[username]], [[fullname]] which get replaced by the actual values, but no such field as [[password]].
I have tried including both [[password]] and {$a->newpassword} in the text but neither works, Moodle does not replace these strings with the actual password; these strings are sent verbatim instead. This happens irrespective of whether the passwords are uploaded via the CSV or generated.
So far I had no luck finding a solution to this on the web. The official help page on this function is unfortunately empty:
https://docs.moodle.org/29/en/admin/setting/local_welcome
Strangely enough, when I create just one user by hand in Moodle via
Users/Add a new user,
the e-mail it sends to the user is not that from plugin local_welcome. A string defined somewhere in the moodle php files is used. This contains string {$a->newpassword} and it works as expected; the user obtains both username and password.
How do I make bulk upload behave similarly? I'm looking for any doable way to make this work. If my question is not clear, please ask in the comments.
Sending plain password over email is not secure that's why Moodle prevent it.While uploading user record you can follow these steps,
enable Generate password and notify user.
or,
set your own password and enable Force password change.
It depends on configuration of bulk upload
Password field: (...) If omitted, a password will be generated for
each user (during the next Cron job) and welcome e-mails sent out.
https://docs.moodle.org/29/en/Upload_users#Fields_that_can_be_included
Just udate all existing users with the same password using csv file. Then use Moodle welcome to send bulk email with their different user name using [[username]] and then type the default password you chose in csv. And it is better to force change password after first login
How can we retrieve Kallithea admin user's Password, if forgotten it? The current setup is using its internal authentication plugin along with the default database SQLite. I can see the encrypted password in the database, but since it's encrypted, it's useless.
As the administrator is a normal user apart from its privileges, you can use Reset Password feature to regenerate (in the current stable release) or to change (in the forthcoming 0.3 release) its password. Even if you don't have email delivery configured, just check the logs — the password reset email is dumped there when there's no email delivery.
I think kallithea has no easy way of doing this, but when you use the original project ie. RhodeCode, there's a nice way to reset your account.
https://docs.rhodecode.com/RhodeCode-Enterprise/admin/reset-information.html#manually-reset-password
I am trying to find the best practices for forgot password functionality via sending a link to reset password i.e. sending an email with a one time token to the registered user. The token will be stored in the database and when the user clicks the link, we check the token and allow the user to set a new password.
Best practices while designing forgot password function -
The token must be unpredictable, that's accomplished best with a
"really" random code which is not based upon a timestamp or values
like the user-id.
Like a password, the token should be hashed, before storing it in
the database. This makes them useless for an attacker, even if the
database is stolen.
The reset-link should preferably be short to avoid problems with
email clients, and contain only safe characters 0-9 A-Z a-z
(base62 encoded)
The token should have an expiration time within single-digit hours.
The token should be marked as used,after the user has
successfully set a new password.
When a user changes their password or requests another password
reset, expire all tokens already associated with their account.
These are some of the points I found. What can be other security issues that should be considered ?
Sources:
Secure password-reset function
Ycombinator News
A couple other practices I've seen:
Check user is on the same machine/browser/IP as the one where the reset password request was triggered (unless it was initiated by admin/system).
Rate-limit number of reset tokens that can be generated for an account.
It should also be noted that the best practice is usually to use an established library rather than inventing your own mechanism, as too many things can be overlooked.
I have the same question and found the OWASP Forgot Password Cheat Sheet.
Also few things that I would like to add:
Usually if user entered non existing email sites anyway shows message "pwd restoration link was sent". This is due to prevent hackers from determining that user with the email exists in system. But IMHO it's better to say user that email is not exists because usually it may not remember email used during registration.
It is better to add some additional personal question to user like a birthday date. If hacker stole user's email it makes harder to receive reset link. But since reset link may be sent to user by site admin the question with birthday must be on change password page which is opened by link.
Hackers may automatically send a lot of letters to some user. Some sites uses a CAPTCHA near email field to prevent this.
After successful changing of password all active sessions should be closed and user must be logged out. Thus even if hacker is logged in he will logged out.
It is a good idea to hash a restoration ticket like a password. Here should be used the same hashing algorithms like with password: Argon2, SCrypt, BCrypt.
After user restoration password it is good to mark it a possible fraud and for some time (like a week) do not allow to make some critical actions, like withdrawal money from account.
Also some sites are sending a letter to user that it's password was changed. They do this when user was logged normally changed it manually but maybe it is good to send the same latter when pwd was reseted.
At the moment I'm building a login Script on powershell basis.
This login script should be able to change the users Password on login and change it back to the original on logout.
Problem here being that I want to change a Password of a domain user, the same user as the one who is logged in obviously
Now I found some neat stuff like the old, net.exe. but it all says I don't have the rights to change the password in the Domain.
I really can't believe that this is something impossible cause the user himself can change the password too.
Otherwise I'd have to find out how to run a login script with a domain admin...
Edit:
ok I'll try to explain our setup we have a so called VMware View environment, in which every user can login once. now we have the problem that there are accounts with generally known passwords, and some people find it highly amusing to steal others sessions. I've thought about it and making a little script that changes and then resets the password would be a neat little solution. I hope I was of help^^
It would be really helpfull if I could get some thoughts on this
Thanks in advance
This link might help you.
Also, according to the link above, you need to be on the domain controller to use net to change password (or supply the "/domain" option).
I'm trying to make a login system for my cocoa app. How would I do this? I know it involves SQL, but I know nothing of SQL. I want the user to register or login. It would be easier if apple had a source code for this kind of thing, but I don't think they do.
Best Regards,
Kevin
Implement the login system on the server. Then all you have to worry about in your app is:
send them to your website via URL to
sign up
query for a name and password
if name and/or password is incorrect more than three times, go to 1
user is logged in. Do something.
You can also use the keychain on the iPhone to securely store and retrieve passwords. Here's excellent code from Sci-Fi Hi-Fi. You prompt for a password, store it securely in the keychain for later comparison. Pretty simple. Documentation on the site.