How to get password hashes of users


(Gaurav Negi) #1

Dear All,
I am building an external site for some other purpose. I already have discourse for users discussion.
I want collect password hashes of all the discourse users.
So that I can import the same user;password to another external site database, that way users donot need to create another account on the website.

Can I please know How can I do that?

I installed this plugin, but looks like documentation of this is not complete.

Readme file says this

  • Store your alternative password hashes in a custom field named import_pass
user = User.find_by(username: 'user')
user.custom_fields['import_pass'] = '5f4dcc3b5aa765d61d8327deb882cf99'
user.save

Can I please know, how and where I can run the above commands?


(Cameron:D) #2

The migrate password plugin in for migrating passwords from an imported forum to Discourse, but won’t help you do it the other way.

If you need people to be able to log in to this other service, can you use SSO to allow them to log in through Discourse:


(Jay Pfaffman) #3

You could use the data explorer plugin to get the password hashes.


(Gaurav Negi) #4

Thanks Cameron and Jay,
Will try out the “data Explorer Plugin also”

However I found a way.

  1. Enter into container, that is running discourse

$docker ps

Above command will give container info

$docker exec -it “Container ID” bash

Now you are inside container. Now logon to postgres and connect to database
$su - postgres
$psql
postgres=# \list

When you are in database (by default it is discourse).

discourse=# select username, id, password_hash from users;


(Gaurav Negi) #5

Thanks Jay. Tried out “data explorer plugin” it runs awesome.


(Gaurav Negi) #6

All, Can I know the hash algorithm name and hash key for discourse user password?
Is hash algorithm PBKDF2?
Also is salt the hash key?


(Jay Pfaffman) #7

The source code is available. You can look there. It’ll be in the app directory, probably in user.rb.


(Felix Freiberger) #8

If you want to authenticate users against Discourse’s internal database, you really shouldn’t look into the database directly, but follow the link by @Cameron_D. Implementing SSO shouldn’t be harder, and you’ll get a solution that is supported and won’t suddenly break with a Discourse update if Discourse changes its database scheme :slight_smile:


(Gaurav Negi) #9

@fefrei Thats what is the long term plan to have a website with SSO and have discourse authentation from there.
But now, I donot want existing discourse users to create another account in that website.
So trying to export user’s details (password_hash, salt etc) from discourse and import to the website that uses firebase as authentication.

In Firebase import it is asking for

salt separator

Does anyone know what is salt separator in discourse?

I donot see anything mentioned in discourse documentation about salt separator?

https://github.com/discourse/discourse/blob/9ce66038647bc4ff63167fe9c74857a01acc0875/docs/SECURITY.md


(Felix Freiberger) #10

That is exactly what using Discourse as an SSO provider is for :wink: