Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Bex 444 posts 555 karma points
    Mar 08, 2017 @ 10:35
    Bex
    0

    Mass Admin Password reset - locked out of some newer sites

    Hi

    I am looking for advice on the newer version of umbraco.

    Periodically we reset all the admin passwords across of all our umbraco sites. We have sites going back to version 4.0.something. We change the password on one site, copy the hashed password out of the database and then run it across all the sites into the userpassword field via a script.

    I have just done this and found I am now locked out of some of our newest umbraco 7 sites (but not all).

    I have noticed a new column has appeared in the users table called :

    securityStampToken

    On some of the sites with this column the new password works, but on some of them it does not.

    I have an Umbraco 7.5.10 that I was locked out, but then an Umbraco 7.5.6 I can get into. Both have the SecurityStampToken column.

    I created a new site and updated the password and then copied both this token and the hashed password with no joy!

    I have used this to re-gain access, but I need a solution for future! How is the security token generated?

    Thanks for any help!

    Bex

  • Dan Diplo 1545 posts 6118 karma points MVP 4x c-trib
    Mar 08, 2017 @ 23:02
    Dan Diplo
    0

    I'm guessing passwords are now salted as well as hashed. The best way around this would be to write code that calls the API to update the admin password rather than an SQL script.

    Maybe take some inspiration from https://our.umbraco.org/projects/developer-tools/umbraco-admin-reset/

  • Keith R Hubbard 175 posts 403 karma points
    Mar 29, 2017 @ 02:24
    Keith R Hubbard
    0

    Has anyone figured this out? i have and issue with two site's this has happened in. the password reset does nothing with version 7.5.11.

  • [email protected] 395 posts 2067 karma points MVP 6x c-trib
    Apr 26, 2017 @ 07:30
    jeffrey@umarketingsuite.com
    0

    Hi Bex,

    I don't know exactly what the SecurityStampToken is for, but it should be possible to just copy the userPassword from one installation to another and then logon without to do anything with the SecurityStampToken.

    But you should note that one thing changed in the default installation of Umbraco, since version 7.6.. In the web.config the key "useLegacyEncoding" on the "UsersMembershipProvider" is set to false, where in previous version it was set to "true".

    This means that by default another hashing algorithm has been used in the newer version which means you cannot copy the userPassword-string from one database to another.

    I think you have two available solutions:

    1) Copy another string when useLegacyEncoding is set to "false". 2) Set the useLegacyEncoding-parameter in all your websites to the same setting (preferably false). But realize that by doing this all stored userPasswords will become invalid.

    Does this make any sense? Hope it helps,

    Jeffrey

Please Sign in or register to post replies

Write your reply to:

Draft