Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • philw 99 posts 434 karma points
    May 01, 2015 @ 17:59
    philw
    0

    Password reset?

    I have a thousand sites and a zillion passwords. I use systems, I write things down.

    I have an Umbraco 7 and it won't let me in. I need to reset the password. I have access to the code and the database, but I can't get in.

    I tried this 

    https://our.umbraco.org/forum/using/ui-questions/49134-Forget-My-Password-For-Umbraco-Admin-Site

    (repeated below), but I'm still not getting in although I can see my clear password etc. Anyone any ideas? I just want the darned password to be reset. I don't care about anything if I can't get into the thing.

    I'm getting fairly desperate, maybe I can hack ASP to remove the security from web.configs or something. I can read the fields from the DB table for users but I still can't get into *my own install*. What if I did a repeat install using another webserver and a backup of this database - maybe I could get back to "admin" /"admin". This is crazy stuff, what does it take to reset the password? I could not use my standard password as Umbraco thinks my password-generator's characters are illegal. Just a little password reset thing is all I need...

     

    1: In the web.config of the Umbraco application search for "hashed". It should give you 2 hits concerning passwords for users and members. Change both from "hashed" to "clear". This make Umbraco store the password as clear text in the database.

    2: Go the user table in the database. In the password column you'll see your current password...in a hashed format. So change the password in this column to one you can remember in clear text.

    3: Login to Umbraco and stay logged in while you do step 4

    4: Change the web.config back to using "hashed" instead of "clear", since "clear" is not recommended due to security reasons.

    5: When the web.config is changed back to storing password in a hashed format - in Umbraco you go to the users section and change your password once again so the password is being hashed again.

  • Alex Skrypnyk 6175 posts 24186 karma points MVP 8x admin c-trib
    May 01, 2015 @ 19:00
    Alex Skrypnyk
    0

    Hi philw,

    So you are seeing the hashed password even if you set 'clear' in config ?

  • philw 99 posts 434 karma points
    May 02, 2015 @ 10:04
    philw
    0

    This is on Rackspace so there can be cache effects. I could not understand why the pwd was wrong nr first place. Thinking about it, perhaps it is a machine key thing. Of Umbraco standard setup doesn't have a machine key, then on Rackspace that could vary across the cluster

     So maybe I have to set that.

     

    I managed to get a clear pwd into the dB, and logged in with it. I later lost access to that.

    I didn't change back as I'm likely to forget the pwd again: I have hundred of accounts and GI can't use password maker.org then I'm broadly insecure due to notyself being a machine.

  • philw 99 posts 434 karma points
    May 02, 2015 @ 11:31
    philw
    100

    Ok, I think I get it. The problem is that Rackspace Cloud is a cluster whose architecture I do not know. I've used Umbraco 6 and 7 on there for a long time without hassle, but this is my 1st Umbraco 7.2.4 install.

    In 7.2.4, I'm guessing Umbraco is using ASP.NET password hashing, because if I don't explicitly set a machine key, then the password I set works on the Rackspace Cloud node I set it up on, but if later I get a different bit of that Cloud, then my password doesn't work any more.

    Previous versions of Umbraco I have running don't set Machine keys, yet don't suffer from this feature, so I'm guessing the authentication was changed to be more "ASP like" recently. That's a good thing, but if you're on a cloud then you need to explicitly set a machine key, or you'll get random inexplicable login failures. That's because machine keys are inherited, and each cluster node will have a different one, I think.

    I just set an explicit machine key in my web.config (from http://www.developerfusion.com/tools/generatemachinekey/), then I did the clear->hashed dance. I'm back in now, and I can log in from different machines. You can never be quite sure which node you're on though, so it's not a confirmed kill until it's been fine for a few days.

    The Bottom Line (unless I come back in a few hours still whining...)

    From 7.2.4 at least onwards, you need to add an explicit machine key if you're running in Rackspace Cloud.
Please Sign in or register to post replies

Write your reply to:

Draft