Overview
By default, ProcessMaker stores users' passwords using MD5 hashes. However, ProcessMaker Enterprise Edition provides an option to save passwords inside its database using SHA-256 algorithm, which is a more secure cryptographic hash function that generates a 64 digit hexadecimal number inside the RBAC_USERS.USR_PASSWORD field.
Hash functions provide a secure way of storing passwords because they can quickly generate the hash from the password and validate the password entered by the user during login, but the password can not easily be discovered from the hash, so it is not easy to crack.
Installation
When the Enterprise Edition is installed with its license, the Secure User Password Hash feature becomes available. Go to ADMIN > Plugins > Enterprise Manager > Enterprise Features to verify that the secureUserPasswordHash feature is installed and enabled.
Set Password Encryption to SHA-256
ProcessMaker Enterprise Edition allows to change the type of encryption passwords will have inside the system. By default, after installing ProcessMaker all passwords are encrypted using the MD5 algorithm, nevertheless this type of encryption can be changed to the SHA-256 hash function.
Linux
Login as the "root" user or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.
Then, enter the following command:
Replace WORKSPACE with the name of the workspace which by default is: workflow
After successfully changing the password encryption, the following message will be shown:
Windows
To change the encryption method in Windows, open the command prompt as an administrator and change to the directory where ProcessMaker is installed:
Then, run the command:
Replace WORKSPACE with the name of the workspace which by default is: workflow
The message "Changed... " will be shown after successfully changing the password encryption.
Then, log into ProcessMaker and it will ask the user to change the password. After changing the type of encryption, all ProcessMaker users must change their passwords. The change is not configurable per user.
If your license does not include this feature, the following message shown when running the command:
Password Policies
Password policies can be set modifying the db.php file or using the Enhanced Login plugin. Remember to define the password policies before changing the encryption method.
Set Password Encryption back to MD5
To set the password encryption back to the MD5 algorithm.
Linux
To change the encryption method in Linux, open a terminal and Login as the "root" user or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.
Then, run the command:
Replace WORKSPACE with the name of the workspace which by default is: workflow
Windows
To change the encryption method in Windows, open a terminal as an Administrator. Then, navigate to the directory where ProcessMaker is installed.
Then, run the command:
Replace WORKSPACE with the name of the workspace which by default is: workflow
Verifying the Database
To verify that changes in the encryption were made correctly access the database in which ProcessMaker created its structure, and check ENTERPRISE_SETTING_ENCRYPT field inside the CONFIGURATION table.
It should contain "sha256" in its value.
To verify that a user has changed his/her password to MD5, check whether the RBAC_USERS.USR_PASSWORD and USERS.USR_PASSWORD fields inside the database have a 32 digit hexadecimal hash. If the password hash is 32 characters, then the user has changed its password to MD5.
