switch from SHA256 to md5

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
linuxen
New user
New user
Posts: 7
Joined: 2008-10-08 09:27

switch from SHA256 to md5

Post by linuxen » 2010-02-06 18:28

Hi,
I have hMailServer 5.3.1 - Build 1748 install at my server. And I have a question if you can change from SHA256 to md5 to encrypt the passwords for hmailservers user Accounts?

I have tried to search for a solution to this with, unfortunately without success =(

DeanoX
Senior user
Senior user
Posts: 480
Joined: 2005-11-05 00:07
Location: Michigan

Re: switch from SHA256 to md5

Post by DeanoX » 2010-02-06 18:31


linuxen
New user
New user
Posts: 7
Joined: 2008-10-08 09:27

Re: switch from SHA256 to md5

Post by linuxen » 2010-02-06 18:35

DeanoX wrote:PreferredHashAlgorithm http://www.hmailserver.com/documentatio ... lesettings
yes, I've read it but have not received anything out that could help me on this issue = (

DeanoX
Senior user
Senior user
Posts: 480
Joined: 2005-11-05 00:07
Location: Michigan

Re: switch from SHA256 to md5

Post by DeanoX » 2010-02-06 18:40

Code: Select all

PreferredHashAlgorithm  - This setting allows you to specify which hashing algorithm hMailServer should use for passwords in the hMailServer database. In old versions of hMailServer, passwords were stored in plain text. In hMailServer 4, passwords were stored in MD5. In hMailServer 5, the default preferred hash is now salted SHA256. The following values are valid for this setting:

    * 0 - None. Store passwords in clear text. This is not recommended.
    * 1 - Blowfish. Store passwords encrypted using Blowfish. This is not recommended, since the password used for encryption is known. Hence, this is no more safe than option 0.
    * 2 - MD5. Store passwords in MD5 hash. This is only recommended to preserve backwards compatibility if you have application which integrates with the hMailServer database.
    * 3 - SHA256 - Store passwords in SHA256 hashes. This is currently the recommended option which gives the highest level of security.
In your hmailserver.ini file, add "PreferredHashAlgorithm = 2", then restart the service.

linuxen
New user
New user
Posts: 7
Joined: 2008-10-08 09:27

Re: switch from SHA256 to md5

Post by linuxen » 2010-02-06 18:51

DeanoX wrote:

Code: Select all

PreferredHashAlgorithm  - This setting allows you to specify which hashing algorithm hMailServer should use for passwords in the hMailServer database. In old versions of hMailServer, passwords were stored in plain text. In hMailServer 4, passwords were stored in MD5. In hMailServer 5, the default preferred hash is now salted SHA256. The following values are valid for this setting:

    * 0 - None. Store passwords in clear text. This is not recommended.
    * 1 - Blowfish. Store passwords encrypted using Blowfish. This is not recommended, since the password used for encryption is known. Hence, this is no more safe than option 0.
    * 2 - MD5. Store passwords in MD5 hash. This is only recommended to preserve backwards compatibility if you have application which integrates with the hMailServer database.
    * 3 - SHA256 - Store passwords in SHA256 hashes. This is currently the recommended option which gives the highest level of security.
In your hmailserver.ini file, add "PreferredHashAlgorithm = 2", then restart the service.
aha, sorry missed it enough =) Now I've been good and modified passwordencryption = 1 in my ini file. is this right?
Last edited by linuxen on 2010-02-06 18:58, edited 1 time in total.

DeanoX
Senior user
Senior user
Posts: 480
Joined: 2005-11-05 00:07
Location: Michigan

Re: switch from SHA256 to md5

Post by DeanoX » 2010-02-06 18:58

The "Passwordencryption" option, is for the database password.

Your original question was,
linuxen wrote:And I have a question if you can change from SHA256 to md5 to encrypt the passwords for hmailservers user Accounts?
To change to using MD5 -vs- SHA256 for user account passwords, you should just add, "PreferredHashAlgorithm = 2".

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: switch from SHA256 to md5

Post by ^DooM^ » 2010-02-06 20:00

I'm pretty sure if you have any accounts already setup you will have to reset the passwords on those accounts as they still use the old hash until altered.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

linuxen
New user
New user
Posts: 7
Joined: 2008-10-08 09:27

Re: switch from SHA256 to md5

Post by linuxen » 2010-02-06 20:25

thanks for all the help have solved the problem

linuxen
New user
New user
Posts: 7
Joined: 2008-10-08 09:27

Re: switch from SHA256 to md5

Post by linuxen » 2010-02-06 20:38

Jag har fortfarande problem med att få till MD5. Min .ini ser ut enligt följande

[Directories]
ProgramFolder=C:\hMailServer
DataFolder=C:\hMailServer\Data
LogFolder=C:\hMailServer\Logs
TempFolder=C:\hMailServer\Temp
EventFolder=C:\hMailServer\Events
DatabaseFolder=C:\hMailServer\Database
[GUILanguages]
ValidLanguages=english,swedish
[Database]
Internal=0
type=MYSQL
username=hMailserver
password=XXXXX
PasswordEncryption=1
port=3306
server=XXXXX
database=hMailserver
[Security]
AdministratorPassword=XXXXX
PreferredHashAlgorithm = 2

I've also started on hMailServer after I made the new settings

User avatar
pepsi
Senior user
Senior user
Posts: 419
Joined: 2008-08-21 20:58
Location: Netherlands

Re: switch from SHA256 to md5

Post by pepsi » 2010-02-08 17:48

Jag har fortfarande problem med att få till MD5. Min .ini ser ut enligt följande



????????????????????????translation????????????????????????????

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: switch from SHA256 to md5

Post by martin » 2010-02-08 23:17

That means he still have problem getting it to work, his ini file looks like follows.

It's kind of confusing that he writes that he got it to work, then says it does not work.

Anyway, the setting only affects new passwords. PreferredHashAlgorithm does not automatically change the hash algorithm for existing passwords.

mdwait
Normal user
Normal user
Posts: 57
Joined: 2007-03-15 21:48
Location: NRH,TX
Contact:

Re: switch from SHA256 to md5

Post by mdwait » 2010-02-26 15:09

so, when I am trying to build a 'sync' process between new 5.x servers and 4.4 servers, does the password ecnrypt remain the same; or do I need to ensure that we setting new installs correctly with an ini setting?

What we are doing is this:
OldServer 4.4
NewServer 5.x

Oldserver accounts are slowly being migrated via a COM interface, (as far as moving the settings in the database).
NewServer 5.x is set up as a brand new install... not as an upgrade.

Willl the passwords still work, or do we need to change a setting?
hmailsvr 4.4/5.1 ~MS-SQL 2000/2008 ~VB6,VB.NET 2005~ASP.NET

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: switch from SHA256 to md5

Post by ^DooM^ » 2010-02-26 22:03

You will need to set the PreferredHashAlgorithm in the hmailserver.ini file to 2 if you want MD5 to work properly. Default setting is 3 which is SHA256.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

dev3.3250240
New user
New user
Posts: 2
Joined: 2013-01-14 07:41

Re: switch from SHA256 to md5

Post by dev3.3250240 » 2013-01-14 07:44

I have set preferredhashalgorithm = 0 but its not working for me. It still encrypt password.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: switch from SHA256 to md5

Post by Bill48105 » 2013-01-14 08:37

dev3.3250240 wrote:I have set preferredhashalgorithm = 0 but its not working for me. It still encrypt password.
Did you restart hmailserver service? It won't change existing passwords, just new ones as they are saved. IOW you'd need to reset every user's password to get them saved in the new format chosen.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: switch from SHA256 to md5

Post by ^DooM^ » 2013-01-14 12:56

dev3.3250240 wrote:I have set preferredhashalgorithm = 0 but its not working for me. It still encrypt password.
Just to add to what Bill said, the passwords are NOT encrypted, they are HASHES of the password which means they are ONE way. You cannot "Decrypt" them. When a password is sent to hMail, hMail hashes the incoming password then checks it against the saved hash. If the hashes match each other then the client can proceed.

You can unhash some MD5 hashes using rainbow tables if the passwords are less than 32 characters but no way to get passwords from hMails Salted SHA256 hash. If that was your goal, you are out of luck.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

dev3.3250240
New user
New user
Posts: 2
Joined: 2013-01-14 07:41

Re: switch from SHA256 to md5

Post by dev3.3250240 » 2013-01-14 14:29

Thanks DooM and Bill.
I just want to run database with plan text password not any hashing. I just set preferredhashalgorithm = 0 and then restart hmailserver service and then update an existing users password and also create a new user but not success.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: switch from SHA256 to md5

Post by ^DooM^ » 2013-01-14 15:01

New users should have plain text passwords. Old users will not. hMail will use old hash choice else noone would be able to login after making ini change.

Restart hMails Service under services.msc, don't use the start stop button on the admin, that just pauses the server and will not read in new ini settings
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

manos2000
New user
New user
Posts: 8
Joined: 2013-06-16 02:20

Re: switch from SHA256 to md5

Post by manos2000 » 2016-10-01 16:02

martin wrote:That means he still have problem getting it to work, his ini file looks like follows.

It's kind of confusing that he writes that he got it to work, then says it does not work.

Anyway, the setting only affects new passwords. PreferredHashAlgorithm does not automatically change the hash algorithm for existing passwords.

Sorry for restarting an old thread

If have already many users with stored password with hash encryption, and will change PreferredHashAlgorithm to MD5 or plain text, without resetting the old passwords, old users will continue to be able to login?

Thank you!

User avatar
mattg
Moderator
Moderator
Posts: 20837
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: switch from SHA256 to md5

Post by mattg » 2016-10-02 05:46

manos2000 wrote:... old users will continue to be able to login?
Correct
martin wrote:Anyway, the setting only affects new passwords.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

manos2000
New user
New user
Posts: 8
Joined: 2013-06-16 02:20

Re: switch from SHA256 to md5

Post by manos2000 » 2016-10-02 21:31

Many thanks Martin! Tested also at development environment, everything works fine



mattg wrote:
manos2000 wrote:... old users will continue to be able to login?
Correct
martin wrote:Anyway, the setting only affects new passwords.

Post Reply