Overview
By default, ProcessMaker Community stores users' passwords using MD5 hashes. ProcessMaker Enterprise Edition stores passwords inside its database using the SHA-256 algorithm, which is a more secure cryptographic hash function that generates a 64 digit hexadecimal number inside the RBAC_USERS.USR_PASSWORD field.
Hash functions provide a secure way to store passwords because they can quickly generate the hash from the password and validate the password entered by the user during login, but the password can not easily be discovered from the hash, so it is not easy to crack.
Installation
When the Enterprise Edition is installed with its license, the Secure User Password Hash feature becomes available. Go to ADMIN > Plugins > Enterprise Manager > Enterprise Features to verify that the secureUserPasswordHash feature is installed and enabled.
Set Password Encryption to MD5
ProcessMaker Enterprise Edition also allows the user to select the type of encryption passwords will have inside the system. After installing ProcessMaker, all passwords are encrypted using the SHA-256 algorithm by default; nevertheless, this type of encryption can be changed to the MD5 hash function.
Linux
To change the encryption method in Linux, open a terminal and log in as the "root" user, or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.
Then, run the command:
Replace WORKSPACE with the name of the workspace, which is " workflow" by default.
Windows
To change the encryption method in Windows, open the command prompt as an administrator and navigate to the directory where ProcessMaker is installed.
Then, run the command:
Replace WORKSPACE with the name of the workspace, which is "workflow" by default.
Set Password Encryption Back to SHA-256
To set the password encryption back to the SHA-256 algorithm follow the steps below.
Linux
Log in as the "root" user, or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.
Then, enter the following command:
Replace WORKSPACE with the name of the workspace which by default is: workflow
After successfully changing the password encryption, the following message will be shown:
Windows
To change the encryption method in Windows, open the command prompt as an administrator and change to the directory where ProcessMaker is installed:
Then, run the command:
Replace WORKSPACE with the name of the workspace which is " workflow" by default.
The message "Changed... " will be shown after successfully changing the password encryption.
Then, log into ProcessMaker and it will ask the user to change the password. After changing the type of encryption, all ProcessMaker users must change their passwords. The encryption method is not configurable per user.
If your license does not include this feature, the following message is shown when running the command:
Password Policies
Password policies can be set by modifying the db.php file or using the Enhanced Login plugin. Remember to define the password policies before changing the encryption method.
Verifying the Database
To verify that the changes in the encryption were made correctly, access the ProcessMaker database, and check the ENTERPRISE_SETTING_ENCRYPT field inside the CONFIGURATION table.
It should contain "sha256" in its value.
To verify that a user has changed his/her password to MD5, check whether the RBAC_USERS.USR_PASSWORD and USERS.USR_PASSWORD fields inside the database have a 32 digit hexadecimal hash. If the password hash is 32 characters, then the user has changed their password to MD5.
