[Mifos-users] Changing user passwords from the SQL?

201 views
Skip to first unread message

Ryan Whitney

unread,
Nov 29, 2009, 9:52:49 PM11/29/09
to mifos...@lists.sourceforge.net
Hello all,

Have a situation where I’d like to just change the admin password with a SQL Command.  Is this possible or is Mifos using some kind of password encryption from within Java only?

Thanks,
Ryan
--
Ryan Whitney
Mifos Technical Program Manager
rwhi...@grameenfoundation.org  
Mifos - Technology that Empowers Microfinance (www.mifos.org)
Our mission is to enable the poor, especially the poorest, to create a world without poverty.  
 <http://grameenfoundation.org/take-action/ingenuity-fund-challenge/>
P please consider the environment before printing this e-mail.
image.jpg

Adam Feuer

unread,
Nov 30, 2009, 12:43:33 AM11/30/09
to A good place to start for users or folks new to Mifos.
On Sun, Nov 29, 2009 at 6:52 PM, Ryan Whitney
<rwhi...@grameenfoundation.org> wrote:
> Have a situation where I’d like to just change the admin password with a SQL Command.  Is this possible or is Mifos using some kind of password encryption from within Java only?

Ryan,

You can do it, but you need to have ability to make an MD5 hash of the
new password. If you have openssl installed, you can do it this way:

% echo password | openssl md5

Where you replace 'password' with your desired password. Then you can
put the MD5 hash value in the password field in the database. I forget
which table it's in exactly, though. I can tell you more tomorrow when
I'm at work.

-adam
--
Adam Feuer <adamf at pobox dot com>

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Mifos-users mailing list
Mifos...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mifos-users

Udai Gupta

unread,
Nov 30, 2009, 2:22:28 AM11/30/09
to A good place to start for users or folks new to Mifos.
Hi,

MySQL also have function that can create MD5 hash for an string.
http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html#function_md5

Udai

Ryan Whitney

unread,
Nov 30, 2009, 2:25:16 AM11/30/09
to mifos...@lists.sourceforge.net
Interesting.  I tried using that, but the blob string it returned was a different length than what was in for the rest of the user passwords.  They were like 28bytes long and it was ... I think 40?

Although I didn’t try logging in with it.  Will have to try it next time.  

Thanks!
Ryan
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Mifos-users mailing list
Mifos...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mifos-users
image.jpg

Udai Gupta

unread,
Nov 30, 2009, 9:16:01 AM11/30/09
to A good place to start for users or folks new to Mifos.
Hi Rayn,

I realized that password storing scheme in mifos is not just simple md5, it is salted md5 hash.

I didn't found any example of mysql function to create salted hashes.

e.g.

you will see "init_mifos_password.sql" there is a query which updates the password field (salted md5 hash) in personnel table. The password field is a blob, and in query "0x226...." (salted md5 hash) is in hexadecimal format of 28 bytes.

Dividing the password hash string in the query (from left to right)
    - 0x (used for representation of a hex numbers)
    - first 12 hexadecimal numbers (24 chars) are the salt.
    - later 16 hexadecimal numbers (32 chars) are the salted md5 hash.

Now, to generate a new password the procedure will be,

 - create a 12 byte salt (randomized)
 - create a salted md5 hash for the password string.
 
  new password hash will be  "0x + 'salt(hex format' + 'salted md5 hash generated'

In java you can do something like this.

public static void main(String[] args) throws Exception {
         String password = "123456";
         byte[] salt = new byte[12];
         new SecureRandom().nextBytes(salt);
         String saltHex = new String(Hex.encodeHex(salt));
         byte[] data = new byte[12+password.getBytes("UTF-8").length];
         System.arraycopy(salt, 0, data, 0, 12);
         System.arraycopy(password.getBytes("UTF-8"), 0, data, 12, password.getBytes("UTF-8").length);
         System.out.println(" PASSWORD = 0x"+saltHex.toUpperCase() + DigestUtils.md5Hex(data).toUpperCase());
    }
 
for this you will need http://repository.jboss.org/maven2/apache-codec/commons-codec/1.2/commons-codec-1.2.jar
in the build path.

the output will be the hash that you need for password as it is given in init_mifos.password.sql.


PS:  echo password | openssl md5 is giving different result than  DigestUtils.md5Hex(password) and 'select md5('password')'.

Udai

Ryan Whitney

unread,
Nov 30, 2009, 7:17:48 PM11/30/09
to mifos...@lists.sourceforge.net
Udai,

Wow, thanks for that in depth investigation. So at this point we cannot
easily replace a password straight in the database, which is fine. Good
thing I went with my other method.

Good to know,
Ryan

> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>

> _______________________________________________
> Mifos-users mailing list
> Mifos...@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mifos-users

--
Ryan Whitney
Mifos Technical Program Manager
rwhi...@grameenfoundation.org
Mifos - Technology that Empowers Microfinance (www.mifos.org)
Our mission is to enable the poor, especially the poorest, to create a world
without poverty.

<http://grameenfoundation.org/take-action/ingenuity-fund-challenge/>
P please consider the environment before printing this e-mail.


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Jeff Brewster

unread,
Nov 30, 2009, 8:12:09 PM11/30/09
to A good place to start for users or folks new to Mifos.
Hey Ryan,
I typically do a two step process -
1. reset the password to a known default using the
init_mifos_password.sql script
2. login to mifos using the default and change it to a new password via
the UI.

Jeff

Ryan Whitney

unread,
Nov 30, 2009, 9:36:24 PM11/30/09
to mifos...@lists.sourceforge.net
That's a good workaround Jeff, thanks!

Ryan

--

Ryan Whitney
Mifos Technical Program Manager
rwhi...@grameenfoundation.org
Mifos - Technology that Empowers Microfinance (www.mifos.org)
Our mission is to enable the poor, especially the poorest, to create a world
without poverty.
<http://grameenfoundation.org/take-action/ingenuity-fund-challenge/>
P please consider the environment before printing this e-mail.

Reply all
Reply to author
Forward
0 new messages