Can I change password's hash algorithm?

[Regentag]

I want to change the hash algorithm of user account password from MD5 to SHA256 or bcrypt. I tried changing the Hash algorithm in the OpenKM.xml file, but it didn't work well. If the user changes the password, it is saved as MD5 in the DB and cannot log in again.

<security:password-encoder hash="md5"/>

Can I modify the settings to use SHA256 or bcrypt? OpenKM version is 6.3.9(CE).

[darkman97i]

Take a look here https://github.com/openkm/document-management-system/blob/5c63b47d4661af625eea370b1d536a7a30211d89/src/main/java/com/openkm/dao/AuthDAO.java#L48

Because this is a radical change in the repository will be better to set a configuration parameter to switch between md5 and the new password crypt. Take a look at this class about how to create a new configuration parameter https://github.com/openkm/document-management-system/blob/master/src/main/java/com/openkm/core/Config.java ( use it to switch between md5 -> default and bcrypt )

I suggest something like

import import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

BCryptPasswordEncoder bcrypt = new BCryptPasswordEncoder();
            user.setPassword(bcrypt.encode(user.getPassword()));

[Regentag]

@darkman97i Thank you for answer. If so, there is no way to apply it without modifying the source code.

[darkman97i]

No, in the code when you create a new user and set the password must use the right crypt type to store in the database. That happens with all the applications adding or changing password algorithm it means changes in the code ( in this case minimal changes )

[Regentag]

For personal use, I made a SHA-256 patch for version 6.3.9. https://github.com/Regentag/openkm_6.3.9ce_sha256

[darkman97i]

We will try to add in the next release ... in future better fork the project and then ask for a pull request from your branch to ours.

@gnujavasergio ask me before working on it