Please rate how useful you found this document: 
No votes yet

Overview

By default, ProcessMaker stores users' passwords using MD5 hashes. However, ProcessMaker Enterprise Edition provides an option to save passwords inside its database using SHA-256 algorithm, which is a more secure cryptographic hash function that generates a 64 digit hexadecimal number inside the RBAC_USERS.USR_PASSWORD field.

Hash functions provide a secure way of storing passwords because they can quickly generate the hash from the password and validate the password entered by the user during login, but the password can not easily be discovered from the hash, so it is not easy to crack.

Installation

When the Enterprise Edition is installed with its license, the Secure User Password Hash feature becomes available. Go to ADMIN > Plugins > Enterprise Manager > Enterprise Features to verify that the secureUserPasswordHash feature is installed and enabled.

Set Password Encryption to SHA-256

ProcessMaker Enterprise Edition allows to change the type of encryption passwords will have inside the system. By default, after installing ProcessMaker all passwords are encrypted using the MD5 algorithm, nevertheless this type of encryption can be changed to the SHA-256 hash function.

Linux

Login as the "root" user or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.

su or sudo -i Enter password cd /opt/processmaker

Then, enter the following command:

sudo ./processmaker change-password-hash-method WORKSPACE sha256

Replace WORKSPACE with the name of the workspace which by default is: workflow

After successfully changing the password encryption, the following message will be shown:

Windows

To change the encryption method in Windows, open the command prompt as an administrator and change to the directory where ProcessMaker is installed:

cd C:\INSTALL-DIRECTORY\processmaker

Then, run the command:

processmaker change-password-hash-method WORKSPACE sha256

Replace WORKSPACE with the name of the workspace which by default is: workflow

The message "Changed... " will be shown after successfully changing the password encryption.

Then, log into ProcessMaker and it will ask the user to change the password. After changing the type of encryption, all ProcessMaker users must change their passwords. The change is not configurable per user.

If your license does not include this feature, the following message shown when running the command:

Password Policies

Password policies can be set modifying the db.php file or using the Enhanced Login plugin. Remember to define the password policies before changing the encryption method.

Set Password Encryption back to MD5

To set the password encryption back to the MD5 algorithm.

Linux

To change the encryption method in Linux, open a terminal and Login as the "root" user or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.

su or sudo -i enter password cd /opt/processmaker

Then, run the command:

./processmaker change-password-hash-method WORKSPACE md5

Replace WORKSPACE with the name of the workspace which by default is: workflow

Windows

To change the encryption method in Windows, open a terminal as an Administrator. Then, navigate to the directory where ProcessMaker is installed.

cd C:\INSTALL-DIRECTORY\processmaker

Then, run the command:

php -f ./processmaker change-password-hash-method WORKSPACE md5

Replace WORKSPACE with the name of the workspace which by default is: workflow

Verifying the Database

To verify that changes in the encryption were made correctly access the database in which ProcessMaker created its structure, and check ENTERPRISE_SETTING_ENCRYPT field inside the CONFIGURATION table.

It should contain "sha256" in its value.

To verify that a user has changed his/her password to MD5, check whether the RBAC_USERS.USR_PASSWORD and USERS.USR_PASSWORD fields inside the database have a 32 digit hexadecimal hash. If the password hash is 32 characters, then the user has changed its password to MD5.