We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 53910
    • 26 Posts
    Hey there,

    I want to change my database password. After that's done I obviously need to tell MODX in the config.inc.php what that new password is. Now I noticed that it's being stored encrypted in there and I couldn't find the method/algorithm which is used to do that. I don't just want to put my blank password in there so I would like to encrypt in the same way MODX does already if you setup a new installation.

    Can someone tell me please what method is used or how I can encrpyt my password so MODX can use it?

    I'm running MODX Revolution 2.6.3

    Thanks alot!

    This question has been answered by BobRay. See the first response.

    • discuss.answer
      • 3749
      • 24,544 Posts
      That's odd. I have 2.6.3 and MODX3 installed and the DB credentials are in plain text. The MODX3 install is new. Clearly you can use plain text and it will work.

      Are you sure your DB password doesn't just look like an encrypted password?

      I would assume that the encryption would use PBKDF2, but to do it yourself, you might have to know what's used for the salt.

      If you want to experiment, this code would be my wild guess about how to produce the encrypted password:

      $string = 'unencrypted_password_here';
      $modx->getService('hashing', 'hashing.modHashing');
      return 'Encrypted Password: ' . $modx->hashing->getHash('', $this->get('hash_class'))->hash($string);
      


      Change the first line and put the code in a snippet. Then view a page with the snippet tag on it.

        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 53910
        • 26 Posts
        Well, now that I think of it, could be a plain text password. Wouldn't it be more secure though to have it encrypted on there? Still learning what all goes into making a site as secure as possible.

        I was just going through the hardening MODX post and probably therefore thought this would be encrypted, as I usually picked different passwords for my database and didn't recognize the random word. But maybe I even got more secure this time by choosing a random one in the first place and just can't remember that.

        I also don't remember salting anything so it must be plain text then I guess.

        However thanks alot for your great and detailed reply!
          • 3749
          • 24,544 Posts
          Encrypting things in an Open Source platform is always complicated.

          The trouble with encrypting the DB password in config.inc.php is that MODX needs the actual DB password to get started. If it were encrypted with a one-way hashing algorithm, like user passwords are, you'd have to enter it each time you log in (in addition to your Manager credentials), because it's impossible to recover a password from a hash value.

          If it were encoded with a two-way method that allowed MODX to decode it to get the real password, any experienced hacker could easily look at the MODX code and figure out how to do the same thing.

          Using either method would also mean creating a separate utility for telling MODX that your DB password had changed, providing another method for hackers to cause trouble. You'd also have to remember how to run that utility outside of MODX. Your site would be offline, and you'd be locked out of the Manager until the utility ran successfully.

          So -- nice idea but not too practical. I've had hundreds of such ideas since I started working with MODX. A large proportion of them were wrong-headed, but a few paid off, so don't stop suggesting things. wink



            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
            • 53910
            • 26 Posts
            Now I learned something! Thank you for this kind and detailed insight, that really helped me understand more of the matter and also focused some aspects I haven't thought of yet. Really appreciate your message!