Please rate how useful you found this document: 
Average: 2.3 (3 votes)

Overview

By default, ProcessMaker Community stores users' passwords using MD5 hashes. ProcessMaker Enterprise Edition stores passwords inside its database using the SHA-256 algorithm, which is a more secure cryptographic hash function that generates a 64 digit hexadecimal number inside the RBAC_USERS.USR_PASSWORD field.

Hash functions provide a secure way to store passwords because they can quickly generate the hash from the password and validate the password entered by the user during login, but the password can not easily be discovered from the hash, so it is not easy to crack.

Installation

When the Enterprise Edition is installed with its license, the Secure User Password Hash feature becomes available. Go to ADMIN > Plugins > Enterprise Manager > Enterprise Features to verify that the secureUserPasswordHash feature is installed and enabled.

Set Password Encryption to MD5

ProcessMaker Enterprise Edition also allows the user to select the type of encryption passwords will have inside the system. After installing ProcessMaker, all passwords are encrypted using the SHA-256 algorithm by default; nevertheless, this type of encryption can be changed to the MD5 hash function.

Linux

To change the encryption method in Linux, open a terminal and log in as the "root" user, or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.

su or sudo -i enter password cd /opt/processmaker

Then, run the command:

./processmaker change-password-hash-method WORKSPACE md5

Replace WORKSPACE with the name of the workspace, which is " workflow" by default.

Windows

To change the encryption method in Windows, open the command prompt as an administrator and navigate to the directory where ProcessMaker is installed.

cd C:\INSTALL-DIRECTORY\processmaker

Then, run the command:

php -f ./processmaker change-password-hash-method WORKSPACE md5

Replace WORKSPACE with the name of the workspace, which is "workflow" by default.

Set Password Encryption Back to SHA-256

To set the password encryption back to the SHA-256 algorithm follow the steps below.

Linux

Log in as the "root" user, or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.

su or sudo -i Enter password cd /opt/processmaker

Then, enter the following command:

sudo ./processmaker change-password-hash-method WORKSPACE sha256

Replace WORKSPACE with the name of the workspace which by default is: workflow

After successfully changing the password encryption, the following message will be shown:

Windows

To change the encryption method in Windows, open the command prompt as an administrator and change to the directory where ProcessMaker is installed:

cd C:\INSTALL-DIRECTORY\processmaker

Then, run the command:

processmaker change-password-hash-method WORKSPACE sha256

Replace WORKSPACE with the name of the workspace which is " workflow" by default.

The message "Changed... " will be shown after successfully changing the password encryption.

Then, log into ProcessMaker and it will ask the user to change the password. After changing the type of encryption, all ProcessMaker users must change their passwords. The encryption method is not configurable per user.

If your license does not include this feature, the following message is shown when running the command:

Password Policies

Password policies can be set by modifying the db.php file or using the Enhanced Login plugin. Remember to define the password policies before changing the encryption method.

Verifying the Database

To verify that the changes in the encryption were made correctly, access the ProcessMaker database, and check the ENTERPRISE_SETTING_ENCRYPT field inside the CONFIGURATION table.

It should contain "sha256" in its value.

To verify that a user has changed his/her password to MD5, check whether the RBAC_USERS.USR_PASSWORD and USERS.USR_PASSWORD fields inside the database have a 32 digit hexadecimal hash. If the password hash is 32 characters, then the user has changed their password to MD5.