--- tags: ccdc --- # Update website user passwords ## obtain a list of users find user table in database can run (mysql) query from terminal and write to file like: ```bash= mysql -u root -p database_name -e "use database_name; select username_field from user_table_name" > users ``` ## determine hashing algorithm and number of hash rounds used for user passwords common hash algos: 1. \$1$ | MD5 2. \$2$ | Blowfish/bcrypt 3. \$sha1$, \$5$, \$6$ | SHA-1, SHA-256, SHA-512 ## generate password update SQL commands for each user handy php script assumes use of the bcrypt (blowfish \$2y\$) hash algorithm ```php= <?php $names = array('user1', 'user2', ...); foreach ($names as $n) { echo "update table_with_users_and_passwords set password = '".password_hash("new_user_password", PASSWORD_BCRYPT)."' where username = '".$n."';\n"; } ?> ``` ## run commands from last step in DBMS ## verify that users still able to log in