Overview
ProcessMaker stores users' passwords inside its database using MD5 hashes. This cryptographic function generates a 32 digit hexadecimal number inside the USERS.USR_PASSWORD table. In version 2.8 and later, ProcessMaker provides an option to save passwords with SHA-256, which is a more secure cryptographic hash function that generates a 64 digit hexadecimal number.
Hash functions provide a secure way of storing passwords because they can quickly generate the hash from the password and validate the password entered by the user during login, but the password can not easily be discovered from the hash, so it is not easy to crack.
Installation
When the Enterprise Edition is installed with its license, the Secure User Password Hash feature should be available. Go to ADMIN > Plugins > Enterprise Manager > Enterprise Features to verify that the secureUserPasswordHash feature is installed and enabled.
Set Password Encryption to SHA-256
ProcessMaker allows to select the type of encryption passwords will have inside the system. By default, after installing ProcessMaker all passwords are encrypted using the MD5 algorithm nevertheless this type of encryption can be changed to the SHA-256 hash function.
Linux
To change the encryption method in Linux, open a terminal and Login as the "root" user or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.
cd /opt/processmaker
Then, enter the following command:
Replace WORKSPACE with the name of the workspace which by default is: workflow
After successfully changing the password encryption, the following message will be shown:
Windows
To change the encryption method in Windows, open the command prompt as an administrator and change to the directory where ProcessMaker is installed:
Then, run the command:
Replace WORKSPACE with the name of the workspace which by default is: workflow
The message "Changed... " will be shown after successfully changing the password encryption.
Then, log into ProcessMaker and it will ask the user to change the password.
If your license does not include this feature, the following message shown when running the command:
Note 1: After changing the type of encryption, all ProcessMaker users must change their passwords. The change is not configurable per user.
Note 2: If ProcessMaker 2.8 has been installed by migration, the Case Schedulers as well as Web Entries previously created inside processes must be redefined in their configuration because both of them require the users' passwords.
Note 3: There might be an error when executing the command to change the hash method related to the "cliCaseArchive.php". This file is related to the Case Archive and Restore plugin that does not affect the password encryption method.
Verifying the Database
To verify that changes in the encryption were made correctly access the database in which ProcessMaker created its structure, and check ENTERPRISE_SETTING_ENCRYPT field inside the CONFIGURATION table.
It should contain "sha256" in its value.
To verify that a user has changed his or her password to SHA-256, check whether the RBAC_USERS.USR_PASSWORD and USERS.USR_PASSWORD fields inside the database have a 64 digit hexadecimal hash. If the password hash is 32 characters, then the user hasn't yet logged into ProcessMaker and changed his/her password.
Set Password Encryption to MD5
To set the password encryption back to the MD5 algorithm.
Linux
Login as the "root" user or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.
cd /opt/processmaker
Then, run the command:
Windows
Then, run the command:
