• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Resolved Password warning while updating to Obsidian 18.0.21

Denis Gomes Franco

Denis Gomes Franco

Regular Pleskian
Hey, I think I may have found a small bug.

While updating my servers to 18.0.21, one of them showed this message beforehand:

WARNING: There are 6 accounts with passwords encrypted using a deprecated algorithm. Please refer to Plesk upgrade warning: There are accounts with passwords encrypted using a deprecated algorithm for the instructions about how to change the password type to plain.

I followed the instructions in the article and tracked down these objects (database users). I fixed the issue by retrieving the current password from wp-config.php (these are all Wordpress sites) and applying the same password to the users. That did the trick.

Then I noticed... these sites were migrated from Cpanel using the migration tool. So I believe the bug is that the migration routine is recreating the database users from the old server with the same password (so as to not break the website) but using a deprecated algorithm.

So my suggestion is to review the migration code so as to create new database users using the new password algorithm.
 
What you're asking is practically impossible. The password encryption can't be reversed, therefore the clear text passwords can't be easily recreated. And without the clear text passwords, the automated transfer mechanism has no way of encrypting the passwords using a newer algorithm.

Keep in mind that you were able to manually get the clear text passwords only because you had access to the site code and knew where to look. First, the code might not always be available, and second, an automated transfer mechanism can't read passwords as easily as a human can, because they are not always written in the same place or in the same form.

I'd advise anyone migrating the sites from other control panels and dealing with the deprecated algorithms, to deal with it right away. Recreate the passwords or even reset them if needed be, don't wait for it to become an issue later on.
 
In this case, maybe some warning somewhere during the transfer would be nice. Or was it so hidden that I didn't see it.

In any case I'm glad it showed up during the upgrade procedure so it could be dealt right away.
 
You must log in or register to reply here.

Similar threads

Rene van Lieshout
Question WordPress Vulnerabilities -> No updates available
Replies
3
Views
354
Kaspar@Plesk
Kaspar@Plesk
K
Resolved How to create a database user with a known password hash
Replies
6
Views
3K
Kaspar
K
M
Issue plesk backup with password not working
Replies
3
Views
843
Peter Debik
P
M
Issue The domain resolves to the incorrect IP address...
Replies
0
Views
861
madpugger
M
Tim_Wakeling
Issue After changing root password and Plesk admin passwords, migration fails
Replies
6
Views
1K
Martin Dias
Martin Dias
Back
Top