Support

Admin Tools

#25704 no matter what I do when I set password protect admin if locks me out

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 25 August 2016 17:20 CDT

Sunday, 24 July 2016 17:46 CDT

flotsman
 I have used multiple browsers/ deleted entire site 2 times.
looked at permissions - spoken to host.....
it works on same host different site prior to 4.0 and 3.6

looks like there needs to be a better fix nothing i found on here works....

bummer as you have always provided a killer security app. hopefully you will fix this soon.

Sunday, 24 July 2016 19:51 CDT

nicholas
Actually it's your host's fault. Which host are you using? Also please let me explain why it's your host's fault.

Do note that administrator password protection is NOT handled by Admin Tools, it is handled by the web server (Apache). What we do with this feature is create a .htaccess and a .htpasswd file in the administrator folder of your site. The former says "this folder is password protected, look in .htpasswd for the password information" and the latter provides the username and password that needs to be used.

There are some caveats, depending solely on your hosting provider.

If your hosting provider is using an ancient version of Apache or have disabled some of the advanced password hashing algorithms your password is truncated to 8 characters by Apache itself. This means that you should try using the first 8 characters of your password only. If that works please throw a rage fit to your host and demand that they fix their servers.

The other caveat is closely related to the previous item. Apache has different ways of hashing the passwords. The only methods which may also be available to PHP are (in order of most to least preferred):
  • Iterated and salted MD5 (APR1)
  • SHA-1
  • Traditional crypt
  • Plain text


We always try to use APR-1 first. If something weird is going on (the host has disabled a lot of PHP's security related features) we then try SHA-1. If the host is really crap and has disabled SHA-1 in PHP we try to use traditional crypt (with the caveat about only the first 8 characters being used I explained above). In stupid cases where the host has disabled even that we try plain text. If the web server does not support the method we selected (something we have no way to detect) you will never be able to enter an acceptable password.

TL;DR: It is your host's fault, really. If they don't understand it's their fault choose a different host, preferably one run by people who know what they're doing.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 25 July 2016 23:28 CDT

flotsman
Not correct - My host is fine - I copied the .htaccess and htpasswd files to the one that wouldnt work and used same password - Worked. Not sure why it works on my other 3 sites on same host - thanks

Tuesday, 26 July 2016 08:08 CDT

nicholas
Are you using any non alphanumeric character in your password such as one of the following !@#$%^&*()_-=[]{};:'"\|<,>./? If you do, please try using the latest dev release from our site. Does that fix the issue you are experiencing?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 25 August 2016 17:20 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2016-08-25 17:20 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!