Bobcares

Drupal password encryption – How it improves security?

by | May 21, 2019

Plain text passwords in your apps always pose a security risk.

Thanks to strong Drupal password encryption, it avoids password compromise to a larger extent.

But, configuring password encryption may not be straight-forward always.

That’s why, at Bobcares, we often get requests from our customers to set up “Drupal password encryption” as part of our Server Management Services.

Today, we’ll see how our Support Engineers configure password encryption in Drupal & fix the related issues.

 

Why password encrypt in Drupal?

In Drupal, the password saved in the database is in encrypted format & obscured against brute force attacks.

This encryption technique keeps away direct access to plaintext password due to the hash salt so that it is difficult to decrypt.

In fact, Drupal does such a good job with the password encryption method.

 

How to encrypt the password for Drupal

In Drupal 8, there are several ways to set an encrypted password.

Let’s see how our Support Engineers set up password encryption in Drupal

 

– Using the drush command:

drush8 user-password admin --password="new_password"

 

– Without drush, using CLI access to the server:

cd <drupal root directory>
php scripts/password-hash.sh 'new_password'

And then we go to Databases > phpMyAdmin >SQL tab to paste the resultant hash into the SQL query text box.

update users set name='admin', pass='pasted_hash_from_above' where uid=1;

 

– Using PHP scripts:

We put the specified code in the password.php file like this.

<?php
if (isset($_GET['p'])) {
  require_once dirname(__FILE__) . '/includes/bootstrap.inc';
  require_once dirname(__FILE__) . '/includes/password.inc';
  print _password_crypt('sha512', $_GET['p'], _password_generate_salt(DRUPAL_HASH_COUNT));
  exit();
}
print "No password to hash.";

And then hit your site using: http://domain.tld/password.php?p=’MyPassword’. The hash will appear on your browser’s tab.

 

Common errors & fixes in Drupal password encryption

Setting the password encryption in Drupal may not work as expected.

Let’s take a closer look at what are the causes & how our Support Engineers fixed it.

 

1. Password problems after migration

Recently, one of our customers approached us regarding Drupal password encryption. After migrating the user account data to a different server, his password doesn’t work due to encryption & hash in Drupal 8.

In Drupal 8, if the password for the administrator doesn’t work, it is possible to set the password via a database query.

So, to solve the problem our Support Engineers took the following steps.

1. First, we generated the password hash for the site using this script in Drupal’s root directory.

php core/scripts/password-hash.sh 'new_password'

2. Next, with the generated hash we updated the database.

3. We navigated to cPanel > Databases > phpMyAdmin > SQL tab > SQL query text box & pasted the following query.

UPDATE users_field_data SET pass='$S$E5mpCS9kjQ8P/M1aUCKsF4UUIdXjrHyvnE4TerAVJ9bIu4U' WHERE uid = 1;

4. Finally, we cleared the cache by running this command.

DELETE FROM cache_entity WHERE cid = 'values:user:1';

That fixed the problem, now the user could use the new encrypted password to login without any failure.

 

2. Password sent in plain text

Similarly, another customer reported us that while installing theme or module in Drupal, the Update Manager resulted in an error like this

You are not using an encrypted connection, so your password will be sent in plain text. Learn more

This error is caused when there is incorrect permission on the Drupal folder.

We took the following steps to solve the problem.

1. First, we opened the terminal.

2. Next, we granted permission to the webserver user by running this command.

chown user:user -R /home/user/public_html/mydrupal/sites

3. Finally, the user could install the theme in Drupal without any error.

That’s how we fixed the problem.

[Having trouble with password encryption in Drupal? We’ll fix it for you.]

 

 

Conclusion

To be more precise, Drupal has a technique to encrypt the password for security purpose. Today, we saw how our Support Engineers set up encrypted password & fixed the related issues.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.