All archive data will be queried many times by this information. Update FAQ: How do I change the Super User’s password when password recovery emails are not sent? Ecommerce websites automatically have these goals. The password was hashed using 20000 rotations of the pdkdf2 sha256 algorithm using the salt random-salt-here and resulted in the hash hashed-password-here. Those are stored in the log_link_visit_action table. Is there any feature that could not be modified to use the API proxy defined in ee3bc9c? I think however that needs some deeper refactorings for example regarding the tests matching password hashes in their XML fixtures. Would probably only need to check how to flag it. These options have a special autoload property set to 1. There won't be nearly as many of these as there are visits and archive data entries, but they will be queried often. All you need to do is add a salt before hashing the password (the longer the better), as reported in the summary. The following algorithms are currently supported: PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Apologies if this is all being taken care of already (I didn't check the code), but we need to store ALL of this so that we can later upgrade the algorithm, the number of rotations, etc. Site entities contain information regarding a website whose visits are tracked. Usually authentications consist of a key and a secret which makes it easier as only having the secret. GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together. Site entity data access occurs primarily through the Piwik\Site class. to your account, What I can see from code is that passwords are hashed with md5, but without a salt. migrating the admin user would work like, since the user will log in anyway. Without it, log aggregation would require a table scan through the entire log_visit table. This means that if the Matomo DB is ever compromised, your LDAP users' passwords will still be safe. Matomo will analyze these tallies in conjunction with the actions that caused them in order to help Matomo users understand how to make their visitors take more desired actions. Currently I plan to rehash every password with SHA256 during the upgrade combined with setting a "_legacy_password"-Option stored for each user. The cost should be chosen such that password_verification takes about 100ms, substantially slower than MD5 of a password that can usually be calculated in less than 0.01ms so password_verification is about 100,000 times slower than MD5 in the same class CPU that password_hash was calculated on. To read more about users access, read the Permissions guide. Of course they could then also just overwrite the token with a new one but it would be still good security to have it hashed. The index_idsite_servertime index is used when aggregating ecommerce items. User entities describe each Matomo user. I'll go on my now. Have a question about this project? they're used to gather information about the pages you visit and how many clicks you need to accomplish a task. Site entities are stored in the site table and contain the following information: Site entities also contain a list of extra URLs that can be used to access the website. Sacrificing this with the argument of backward compatibility is criminally stupid, sorry. When a visitor views a page or screen, Matomo will attempt to detect whether this request belongs to an existing visit, and/or whether the visitor has visited the website before. change the user's salt?). We should have a salt for Password to avoid dictionnary attacks or prevent password leakages on other websites to impact a user login to Piwik. For now we wouldn't need the feature to create multiple tokens etc and be good to only migrate existing tokens (each user has one token) but if you're keen on implementing this as well with multi tokens .