Mass Admin Password reset - locked out of some newer sites
Hi
I am looking for advice on the newer version of umbraco.
Periodically we reset all the admin passwords across of all our umbraco sites.
We have sites going back to version 4.0.something.
We change the password on one site, copy the hashed password out of the database and then run it across all the sites into the userpassword field via a script.
I have just done this and found I am now locked out of some of our newest umbraco 7 sites (but not all).
I have noticed a new column has appeared in the users table called :
securityStampToken
On some of the sites with this column the new password works, but on some of them it does not.
I have an Umbraco 7.5.10 that I was locked out, but then an Umbraco 7.5.6 I can get into. Both have the SecurityStampToken column.
I created a new site and updated the password and then copied both this token and the hashed password with no joy!
I have used this to re-gain access, but I need a solution for future!
How is the security token generated?
I'm guessing passwords are now salted as well as hashed. The best way around this would be to write code that calls the API to update the admin password rather than an SQL script.
I don't know exactly what the SecurityStampToken is for, but it should be possible to just copy the userPassword from one installation to another and then logon without to do anything with the SecurityStampToken.
But you should note that one thing changed in the default installation of Umbraco, since version 7.6.. In the web.config the key "useLegacyEncoding" on the "UsersMembershipProvider" is set to false, where in previous version it was set to "true".
This means that by default another hashing algorithm has been used in the newer version which means you cannot copy the userPassword-string from one database to another.
I think you have two available solutions:
1) Copy another string when useLegacyEncoding is set to "false".
2) Set the useLegacyEncoding-parameter in all your websites to the same setting (preferably false). But realize that by doing this all stored userPasswords will become invalid.
Mass Admin Password reset - locked out of some newer sites
Hi
I am looking for advice on the newer version of umbraco.
Periodically we reset all the admin passwords across of all our umbraco sites. We have sites going back to version 4.0.something. We change the password on one site, copy the hashed password out of the database and then run it across all the sites into the userpassword field via a script.
I have just done this and found I am now locked out of some of our newest umbraco 7 sites (but not all).
I have noticed a new column has appeared in the users table called :
On some of the sites with this column the new password works, but on some of them it does not.
I have an Umbraco 7.5.10 that I was locked out, but then an Umbraco 7.5.6 I can get into. Both have the SecurityStampToken column.
I created a new site and updated the password and then copied both this token and the hashed password with no joy!
I have used this to re-gain access, but I need a solution for future! How is the security token generated?
Thanks for any help!
Bex
I'm guessing passwords are now salted as well as hashed. The best way around this would be to write code that calls the API to update the admin password rather than an SQL script.
Maybe take some inspiration from https://our.umbraco.org/projects/developer-tools/umbraco-admin-reset/
Has anyone figured this out? i have and issue with two site's this has happened in. the password reset does nothing with version 7.5.11.
Hi Bex,
I don't know exactly what the SecurityStampToken is for, but it should be possible to just copy the userPassword from one installation to another and then logon without to do anything with the SecurityStampToken.
But you should note that one thing changed in the default installation of Umbraco, since version 7.6.. In the web.config the key "useLegacyEncoding" on the "UsersMembershipProvider" is set to false, where in previous version it was set to "true".
This means that by default another hashing algorithm has been used in the newer version which means you cannot copy the userPassword-string from one database to another.
I think you have two available solutions:
1) Copy another string when useLegacyEncoding is set to "false". 2) Set the useLegacyEncoding-parameter in all your websites to the same setting (preferably false). But realize that by doing this all stored userPasswords will become invalid.
Does this make any sense? Hope it helps,
Jeffrey
is working on a reply...