Passwords do not work after upgrade?

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
11/18/2013 3:46:36 AM
Gravatar
Total Posts 78

Passwords do not work after upgrade?

Hi,

We upgrade MojoPortal from Version 2.3.4.7 MySQL to 2.3.9.9 MySQL.

- All scripts runned fine
- Skin was updated with CSS and also worked fine
- Connection string to mySQL set
- MachineKey is set to the default value and is the same as in our old version of the site 

The problem is that password is not working for any user, instead we need to set a new one for each and everyone? Its unclear how the admin could login.

Why is the passwords not working anymore? Is there any way to fix this besides reset all passwords(alot)?

BestRegards

 

11/18/2013 7:16:35 AM
Gravatar
Total Posts 1992

Re: Passwords do not work after upgrade?

Are you positive you are using the same machine key as you had before? You may want to restore your backup to a new IIS website and a new database, then see if you can login to this restored site. If so, check your machine key and if it is different than what you have in your current website's web.config, copy it over.

HTH,
Joe D.

11/18/2013 8:48:02 AM
Gravatar
Total Posts 78

Re: Passwords do not work after upgrade?

Hi,

I have now checked the machine key and its exacly the same on both the old and the new.

I am using the default one so when enter Administrator page on MojoPortal there will be a warning about the Machine Key(this was not shown in prev version).

But as I said, I have compared old and new version of the MojoPortal web.config and the Machine Key is the same.

What are my options? I Suppose I will have to set new passwords on all 100 members? But do I need to do it manually? Is there any way to make this esier?

BestRegards

11/18/2013 9:24:47 AM
Gravatar
Total Posts 18444

Re: Passwords do not work after upgrade?

The ideal solution is to get a copy of the site working as it was before the upgrade and then change to cleartext passwords then do a query to join the new db with the old copy and get the original password and put it in the new db in the pwd field of mp_Users and set the password format field in mp_Sites as cleat text (0 I think). Then finally generate a new machine key and change back to encrypted from site settings so it will encrypt the clear text passwords again with the latest encryption and machine key.

It is extremely important to use a custom machine key, if someone knows your machine key they can easily hack your site no matter what password format you are using. This is why we added security advisor.

Note that somewhere along the way we changed the encrypted passwords to use a stronger encryption with salt and to do that we migrated password to the newer pwd field which is large enough for the stronger encryption. I don't know if this was before or after your previous version.

Even if you decide to reset the passwords then you should first change the password format field in mp_Sites to clear text, you could then run a query to make the new password something like the email + changeme, there is also a new flag to MustChangePassword on mp_Users. There is no way to generate encrypted password with just sql so you must first reset to plain text passwords and then change to encrypted from site settings so .NET code can generate the encrpyted versions and salt.

Then I guess you could email or tell your users to recover their passwords with password recovery and after the y login change it to a new password.

Hope that helps,

Joe

11/18/2013 9:35:12 AM
Gravatar
Total Posts 78

Re: Passwords do not work after upgrade?

Thanks,

It will probably not be possible to get the old version running again so I will have to change the current passwords.

What I need is something like this : 

  1. Clear all current password
  2. Set to clear text
  3. Generate new Machine key
  4. Turn on encryption of passwords
  5. Generate new passwords
  6. Send the new passwords out to users (users already got there email adress register in MojoPortal)

This could probably be done manually but it would mean ALOT of time, probably a couple of days to get this working and that much time will I not get to fix this.

Is there built in functionality for this? And if so, where can I find how to use it?

11/18/2013 10:29:59 AM
Gravatar
Total Posts 18444

Re: Passwords do not work after upgrade?

Ok, here is step by step a way to accomplish it.

  1. backup the db again for good measure
  2. make sure that email is configured and that you can receive the password recovery email
  3. Run this query to set the password format to clear text
    UPDATE mp_Sites SET PasswordFormat = 0
  4. Run this query to reset all users to semi random new password
    UPDATE mp_Users Set Pwd = (SELECT SUBSTRING(CONVERT(varchar(36), newid()), 0,9))
  5. Touch web.config to clear the site settings cache otherwise it still thinks it is using encrypted
  6. recover your own password and verify that you can login
  7. Use the Security Advisor page to generate a new machine key and replace the one in web.config with the new one.
  8. Go to site settings and change the password format back to encrypted and wait a few minutes, do not touch web.config or do anything that might recycle the app as it will interupt it from processing the passwords.
  9. verify in the db that the pwd filed looks encrypted and the passwordsalt field is populated in the mp_Users table
  10. logout and verify that you can login again
  11. Go to Administration > Newsletters and create a newsletter that will be used to inform the users of the password reset and need to use password recovery. Subscribe to the newsletter and send a test and make sure you receive it. Then click to view the subscribers and click the button to add the remaining site users as subscribers.
  12. Create and send a newsletter explaining that passwords were all reset and provide a link to the password recovery page.

Optionally after step 4 you could do UPDATE mp_Users SET MustChangePwd = 1

this would force users to change to a new password after they do login.

Hope that helps,

Joe

11/21/2013 2:27:52 AM
Gravatar
Total Posts 78

Re: Passwords do not work after upgrade?

Thanks,

This looks good!

I have added the email information to the web.config and tried the password recover, so far so good.

But you say in point 8 : Go to site settings and change the password format back to encrypted

When looking in the site settings > security I can see that the password is set to Hashed i database(can not be recovered)? But you are suggesting to use encryption instead?

11/21/2013 6:18:15 AM
Gravatar
Total Posts 18444

Re: Passwords do not work after upgrade?

no, if you want to use hashed that is fine. I assumed you were already using encrypted because encrypted depends on the machine key. hashed does not depend on the machine key so I don't know why login was failing. hashed is the most secure because it cannot be decrypted. with hashed you can reset the password but not recover it.

11/21/2013 6:24:36 AM
Gravatar
Total Posts 78

Re: Passwords do not work after upgrade?

Thanks,

So If I want to change the password of all current users I should still follow your steps above (even when using hashed passwords)?

11/21/2013 6:25:24 AM
Gravatar
Total Posts 18444

Re: Passwords do not work after upgrade?

doesn't make sense, if you did steps 3, 4, 5 then it should say clear text not hashed. maybe you missed step 5

11/21/2013 6:28:10 AM
Gravatar
Total Posts 18444

Re: Passwords do not work after upgrade?

the steps must go in order, you cannot change their hashed passwords and you cannot do step 8 until after you reset the passwords as clear text

if you did not reset them to clear text and password recovery works then don't change them just tell everyone to use password recover which will reset the password for hashed since it cannot recover.

You must sign in to post in the forums. This thread is closed to new posts.