Restting password for a user with and Administrator account

Hi @stephenwaite where can I find this field? I don’t see it in users_secure

hi @Carlos_Andres_Chavez, it’s in users

Do you remember or ask your users if a Globals save was done where they may have been kicked to login screen. Or even suddenly kicked to login at anytime.

I just blew up all my users trying to debug your issue!

Update: I don’t think this issue is caused by user password corruption. Check PHP error log and report.

Do you think this could be related to my globals blowing up recently on the stress testing I was doing?

Definitely! I’m still tracking it down but first looking at a way to give @Carlos_Andres_Chavez a recovery for his dilemma.
You and me should talk about a plan for this issue!

I had to recover my system by using a backed up copy of the globals table. I don’t know if that is the problem you are running into @Carlos_Andres_Chavez, but if so, you could try doing that.

Hi there, Client agreed to a new install. I feel bad that you blew up your users but glad that you discovered that so that it can be addressed in the future.

Hi, so we ended up starting from scratch, but yeah it most likely had to do with that table.

I had a similar problem when one of the users exceeded the max number login attempts.
Changing the user password did not solve the problem: “invalid user or password”.

I solved the problem quite simply: first changed the max login attempts setting in globals to a high value, then login with the correct user/password, logout, and change the setting back.

I am having thesame problem, what table do find max login attempts from mysql CLI? currently i cannot access the administrator account.

I just encountered same problem. I get the login screen and when I try to login in, it says invalid user/password. And, I am unable to login with my admin account.

I recently upgraded my apache and php (to php 8.2). When I saw that OpenEMR is not compatible with php 8.2, I downgraded php back to 8.1.14. But, I am still having the problem. Do I need to downgrade php further. Other web applications (not OpenEMR) are working OK.

Funny thing is that this happening on both of my mac computers (one never got upgraded to php 8.2). And, OpenEMR worked great on both before.

Using phpMyAdmin, I changed the following rows in the globals table:
gl_name gl_value
gbl_minimum_password_length 4
password_max_failed_logins 999
secure_password 0

I changed user table:
I changed username ‘administrator’ to ‘admin’

I changed users_secure:
I changed username ‘administrator’ to ‘admin’
I changed password to ‘$2a$05$MKtnxYsfFPlb2mOW7Qzq2Oz61S26s5E80Yd60lKdX4Wy3PBdEufNu’

And, I still cannot login. Am I missing something?
phpMyAdmin is letting me login to phpMyAdmin and it is fully working, so I don’t think it is an apache/php issue.

Could there be a setting in php.ini or apache.conf that can be messing things up?

hi @psoas , it might be another security setting.

Problem fixed.

I looked at log with:
select * from log order by date DESC limit 10;

Error was in base64 format and needed to be decoded to normal text.
Used following website to decode base64:

Error was:
failure: ::1. user password is expired

I went to the globals table and changed the value of the global ‘password_expiration_days’ to 9999.

UPDATE globalsSETgl_value= '9999' WHEREglobals.gl_name= 'password_expiration_days' ANDglobals.gl_index = 0;

And, I was able to login.

I consider this a bug. This might have been problem Andres might have had earlier in post who had to wipe out his database to fix problem.

Even if not, message needs to be changed when logging in:
For everything it says “invalid user or password”.

For an expired password, it should instead say: “Expired Password”
And, for max logins exceeded, it should say “Maximum Login Attempts Succeeded.”

Also, since administrator account is so important, it should be programmed so that password for the administrator never expires.

Either that, or provide a way the admin user can change their password when expired. Maybe, if password is expired, OpenEMR can provide a dialog for the admin to enter old password and new password so admin doesn’t get locked out.

1 Like

hi @psoas ,

Setting 0 for that (Default Password Expiration Days) in config (same as setting 0 in password_expiration_days) will disable that feature. Would recommend not doing that though (especially not for administrators whom have keys to the OpenEMR kingdom). There is a Password Expiration Grace Period that can be set where I am pretty sure the user is warned that the password will expire soon.

From a security perspective, need to avoid letting bad actors fish for usernames. For example, if messages are provided that explain why a user couldn’t log in, then a bad actor can confirm that the username is a real user. Currently a generic message is provided no matter what (note we even have the login take the same amount of time by processing a dummy hash in cases where a user does not exist, so a bad actor can’t figure it out by how long the login attempt takes).

So best to do the login failure details and reporting on the backend. At this point, login failures are placed in the log with detailed reason for why they failed, which is the best way to currently sort out failed logins (albeit this is awkward if viewing from outside openemr’s log viewer since are in base64, but will even be more awkward, but possible, for users that encrypt their error logs :slight_smile: ). A nice feature would be sending out emails to users that are nearing expired passwords.

1 Like

Password expiration days is the problem. Go to globals table on MySQL and set to 0, then login with old details and change passsword, then return to mysql and set back to what ever option you want.
NOTE: if you dont change your password and you return the expiry days to old figure. The system is bound to lock you out again.

Hi guys, it seems we have been locked out of the system. We were migrating from manual to OpenEMR 7.1 and only one user who was doing data entry has been changing their password before they expired. I personally set up the system but I was not aware of the password expiry period. Is it possible to elevate the current user who still has access to admin level and then have them reset passwords for everyone? Or what’s the alternative way to gain access to the system again? SOS: This software is running on a live system so at the moment no work can be done but rather we’re back to doing things manually.

Thank you

If you have direct db access try the admin reset statement.

If you/users know the last password(s) and expiry is the only problem, reset the expiry clock -

update users_secure set last_update=now(), last_update_password=now()

1 Like

I may have changed the UBS-admin-09 password after following other posts on the forum which used salt but It failed due to security requirements… the password was to be reset to pass… So I many not have old passwords for admin. However I didn’t temper with the others… I think the Hospital doctor may be admin, I will try it out on his user.

Ok, I too ran into this after trying to use openEMR after having not touched it in more than a year.
Finally got it working. Thanks @psoas for the suggestion to look at the log table, using the base64 decoder site! Nothing like understanding the error messages.
I too had changed the username in the users table, and the users_secure table. When I looked at the log message, I found
failure: ::1. user not found in a group
So, I changed the username in the groups table and then got
failure: ::1. user not in any phpGACL
I had enough of this, and set the username back to its original value, but keeping the changes to password in users_secure (to the value corresponding to “pass”), and having changed gbl_minimum_password_length to 4, and password_expiration_days to 0 and password_grace_time to 9999
With this config, I was able to log in
I found the first log entry for the login error from today and it was
failure: ::1. user password is expire
So the changes to the expiration settings in the globals table were in fact needed. But don’t touch the username!
When I was still getting errors, I was thinking the password for “pass” only worked if the username is “admin”. That is not the case. It works for any username.
Also, the “secure_password” setting in globals doesn’t seem to care whether it is 1 or 0

1 Like