Not Getting Lost Password Email For Admin Account

[gutterboy]

I have lost my password for my admin account and I used the reset password form but I am not getting any emails. I even tried changing my email in the database to something different and I didn't get anything.

[gutterboy]

Ok, seems the issue was because the from address wasn't a real email address; once I changed it to a real email address it worked fine.

[gutterboy]

Interesting - I think this may have something to do with the license. I just tried it on my "owned" license and it worked, but it will not work on my "dev" license.

 

How do I reset my password on a dev license installation?

[Michael]

Depends where is your development installation? Is the mail server working fine? Both licenses are the same but one is a dev- and not a owned-

[gutterboy]

Yes, all other mails work fine. I get invoices no problems.

[Michael]

Weird then :s.

[gutterboy]

Is there any manual way I can do it? I really need to get in there lol

[Michael]

Is there any manual way I can do it? I really need to get in there lol

 

I'm not sure myself but the Blesta guys can help you.

[flangefrog]

You could try copying the password from another user in the database

[gutterboy]

You could try copying the password from another user in the database

 

Doesn't it use a salt?

[flangefrog]

Doesn't it use a salt?

 

Haven't looked into the password algorithms but each password in the DB has the same string preprended to it which I assume is the salt. That said, two passwords which I know are the same still had a different hash. I tried copying the hash from one user to the other and was able to log in though.

[Michael]

Doesn't it use a salt?

 

bcrypt & SHA something hashing, no salts.

[flangefrog]

Found a good overview of bcrypt, it actually has built in salts: http://stackoverflow.com/a/6833165/1595084 Even though the salt is different for each password you should be able to use the hash in the database for a different user since the salt is stored with the cipher text.

 

This is bcrypt:

Generate a random salt. A "cost" factor has been pre-configured. Collect a password.

Derive an encryption key from the password using the salt and cost factor. Use it to encrypt a well-known string. Store the cost, salt, and cipher text. Because these three elements have a known length, it's easy to concatenate them and store them in a single field, yet be able to split them apart later.

When someone tries to authenticate, retrieve the stored cost and salt. Derive a key from the input password. Encrypt the same well-known string. If the generated cipher text matches the stored cipher text, the password is a match.

Bcrypt operates in a very similar manner to more traditional schemes based on algorithms like PBKDF2. The main difference in its use of a derived key to encrypt known plain text; other schemes (reasonably) assume the key derivation function is irreversible, and store the derived key directly.

Stored in the database, a bcrypt "hash" might look something like this:

$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa

• 2a identifies the bcrypt algorithm version that was used.
• 10 is the cost factor; 210 iterations of the key derivation function are used (which is not enough, by the way. I'd recommend a cost of 12 or more.)
• vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa is the salt and the cipher text, concatenated and encoded in a modified Base-64. The first 22 characters decode to a 16-byte value for the salt. The remaining characters are cipher text to be compared for authentication.
• $ are used as delimiters for the header section of the hash.

[Michael]

Found a good overview of bcrypt, it actually has built in salts: http://stackoverflow.com/a/6833165/1595084 Even though the salt is different for each password you should be able to use the hash in the database for a different user since the salt is stored with the cipher text.

 

 

Don't know if it's that easy see this: http://www.blesta.com/forums/index.php?/topic/996-store-password-in-databse-crypted-an-use-it-in-php/?p=8091

[gutterboy]

Well isn't the point of salts to avoid having users with the same password getting the same hash?

[flangefrog]

Well isn't the point of salts to avoid having users with the same password getting the same hash?

That's one of the reasons, the other is to hinder the use of rainbow tables. Even if each user has the same salt and therefore the same hash, the salt would prevent them from using any previously existing rainbow tables. They could generate a rainbow table for that particular salt though, which is why having a separate salt per user is better as each user would need their own rainbow table (e.g. plain old brute force)

[gutterboy]

That's one of the reasons, the other is to hinder the use of rainbow tables. Even if each user has the same salt and therefore the same hash, the salt would prevent them from using any previously existing rainbow tables. They could generate a rainbow table for that particular salt though, which is why having a separate salt per user is better as each user would need their own rainbow table (e.g. plain old brute force)

 

Well yeah......... pretty useless if users all had the same salt haha...... as then they would have the same hash anyway.

[gutterboy]

Ok, found this: http://www.blesta.com/forums/index.php?/topic/1021-staff-password-reset/

 

All good now after getting the link from the log_emails table.