Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By dariakosice on
Hi, I have taken over support for one smaller site and they have ridiculously weak passwords and were under attack for several times. We have changed all passwords but I am not sure how to change DB password in Drupal.
I know that the password is stored in sites/default/settings.php but it is in some hash form and I do not know how to convert my password to the hash form.
I found some answers to run
php scripts/password-hash.sh 'myPassword'
but as I have no CLI access to the site, I do not know how to do this. Any suggestions?
Thank you
Comments
First you change the password
First you change the password on the database itself, via mysql or whichever database server you are using. Then you change it on your Drupal site, in settings.php
The database password is settings.php is in plain text. You enter exactly the password you set in mysql, without any hashing or other change.
It is not possible to change the password without CLI access or at least FTP or some other remote access to the file system. It is not even possible to update Drupal core without access to the file system. Drupal can in theory be managed with FTP access alone, but it is very painful doing so. I recommend that you make a real effort to get CLI access, and to ensure that drush (Drupal command line tool) is installed on the server.
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors
The database password is
Is it? I feel like I've run into issues with that in the past, though maybe it was on Drupal 6.
That would be interesting as
That would be interesting as I could never find a way to obfuscate the password in settings.php for better security.
If I am wrong, maybe the OP will say why she thinks the password in settings.php is hashed.
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors
The password is not plain
The password is not plain text for sure... obviously we have only 5 chars pass and in the settings.php it is a lot longer and different of course, thats why I think its hashed.
I of course have ftp access, so no problem to change settings.php, I just need to know how to hash it so it would work. I have tried plain text, but this does not work.
obviously we have only 5
This is certainly not true. Mysql password length is not officially defined, but probably works up to 32 characters.
Using a mysql password or Drupal password which was 5 chars long would be a very bad idea!
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors
we have for sure 5 chars
we have for sure 5 chars password, I know its not limited to that, but that is what we had.
I want to change it to some stronger password, I already did but t as I cannot change it in drupal due to hash the site is now down. I need to either figure out how to hash the new password in drupal and add it to settings.php
or I need to get back to this 5 char password which is unsecure.
In 7 years of working with
In 7 years of working with Drupal I have never seen a hashed database password. Last year I discussed the matter with a member of the Drupal security team who has 15 years Drupal experience, who confirmed it is not possible. If you have discovered a site with a hashed database password in settings.php that will interest a lot of people.
Just to be sure, try entering your new database password in plain text in settings.php.
You probably already know that the database password has no connection with site administator's password, and that your database password cannot be set via your Drupal site's admin interface.
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors
I don't think the password in
I don't think the password in settings.php is hashed (it couldn't be, as there would be no way to unhash it to submit it to MySQL), but I believe at least in D6 it was base64 encoded. This is to allow for special characters in the password (edit - I think).
well, I am not sure how it
well, I am not sure how it works, It might be just base64 encoding, I can only see that the password in settings.php is set to:
'password' => '125d0d502244655321fd3c3daf0dc440',
which is definitely not the password used for the database login with that particular user but till now it was working. So not sure what to do now and how to change it.
In settings.php I can also see $drupal_hash_salt variable, but I think this is used for user passwords not for the DB or is it?
I have tried tu use the plain password in settings.php and it did not work. But then I tried to create new user for the database and used this new user with new password in plain text and it seems to be working now.
So not sure what magic was used before.
Try base64 encoding the
Try base64 encoding the password and see what happens. https://www.base64decode.org/
yeah, already tried, but that
yeah, already tried, but that is not the password as well.. I also tried to encode the password in base64 and it was a lot shorter than this.
As long as it works now, thank you both for your help. But I am still curious how does that happen.
I have check the other site I have on the same version of drupal using the same database and the password there is plain text.
So sorry for bothering and thanks for the help.
Good.
Good.
I have an idea how this comes about, and it is a Mysql thing, not a Durpal thing.
When you send the plain text password to Mysql, it hashes it and compares it with the hashed version in the Mylsq user table (not the Drupal user table, of course). Drupal simply passes through to mysql what is in settings.php.
In the past (mysql version < 5.2) it was possible to connect to a Mysql server using the hash of the db password rather than the plain text version password. Maybe your host's mysql implementation supported this using mysql's OLD_PASSWORD() function, for backwards compatibility, until you changed the password.
Modern version of Mysql prevent logging in with hashed password becuase it is insecure (i.e. if somoene has a dump of the mysql user table, and hence a list of hashed passwords, they could use them to connect to the mysql server without needing to decrypt them first).
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors