Mysql Import Passwords

[Evaske]

Hi,

 

It seems that if you do a backup of Blesta and then import it on another installation that the passwords no longer work and all need resetting? Is there something I need to do to make them all work again? Bit annoying if all clients have to then reset their password by email.

[Tyson]

This wouldn't be a bug as your other installation is using a different key when hashing passwords. Your system key (set in the Blesta config file) needs to be the same, otherwise all encrypted data will be unrecoverable.

[Paul]

You need to enable legacy password support in config/blesta.php http://docs.blesta.com/display/user/Configuration

 

Blesta 2 uses MD5 passwords for user accounts. Blesta 3.0 uses bcrypted HMAC SHA 256 passwords. Enabling legacy support allows clients with imported MD5 passwords to login.. and once they do, they are converted to the new password format.

 

We suggest enabling legacy password support, and then disabling it after a reasonable amount of time.

[Evaske]

  On 9/29/2013 at 7:57 PM, Paul said:

You need to enable legacy password support in config/blesta.php http://docs.blesta.com/display/user/Configuration

 

Blesta 2 uses MD5 passwords for user accounts. Blesta 3.0 uses bcrypted HMAC SHA 256 passwords. Enabling legacy support allows clients with imported MD5 passwords to login.. and once they do, they are converted to the new password format.

 

We suggest enabling legacy password support, and then disabling it after a reasonable amount of time.

 

What about when I exported my Blesta 3 passwords. Are these MD5 or as Tyson said simply a case of me changing a system key so that the 3.0 export works on a new import.

 

Is this value stored in the database anywhere so I can see what it was on the old installation?

[Paul]

  On 9/29/2013 at 9:34 PM, Evaske said:

What about when I exported my Blesta 3 passwords. Are these MD5 or as Tyson said simply a case of me changing a system key so that the 3.0 export works on a new import.

 

Is this value stored in the database anywhere so I can see what it was on the old installation?

 

If you originally imported from 2.5, the passwords as stored in Blesta 3 will be the same MD5 hashes unless/until the user logs in and the password is updated. If you look at the users table, password field, it should be pretty obvious which passwords are MD5 and which are not. MD5 passwords are 16 byte, and will appear shorter than new passwords.

[Evaske]

  On 9/30/2013 at 5:51 PM, Paul said:

If you originally imported from 2.5, the passwords as stored in Blesta 3 will be the same MD5 hashes unless/until the user logs in and the password is updated. If you look at the users table, password field, it should be pretty obvious which passwords are MD5 and which are not. MD5 passwords are 16 byte, and will appear shorter than new passwords.

 

Hey Paul,

 

Exported from 3.0. Never had 2.5

[Cody]

  On 9/30/2013 at 7:09 PM, Evaske said:

Hey Paul,

 

Exported from 3.0. Never had 2.5

As Tyson pointed out, you need to have the same cipher keys in your /config/blesta.php config file as you did in the system you exported from.

 

Moved to support forum as not a bug.