# Admin Password Security Assessment

## Current Status ✅ SECURE (with caveats)

### Good News
- Admin passwords **ARE stored hashed** in the database using `password_hash()`
- Login uses `password_verify()` for secure comparison
- Passwords are never exposed in plaintext during authentication

### Concerns ⚠️

#### 1. Default Passwords in Setup Scripts
Multiple setup scripts contain hardcoded default passwords:
- `setup_admin.php` - uses `'admin123'`
- `sync_users.php` - uses `'password'`
- `setup_auth.php` - uses `'password'`
- `setup.php` - uses `'password'`

**Risk**: If these scripts are accessible, attackers could reset admin password to known value.

**Action**: These scripts should be:
- Removed from production
- Moved to archive (already done)
- Protected with authentication if needed for maintenance

#### 2. No Password Change Enforcement
- Users are not forced to change default passwords on first login
- No password expiration policy
- No password strength requirements

**Action**: Implement:
- First-login password change requirement
- Password expiration (90 days recommended)
- Password strength validation (min 8 chars, mixed case, numbers)

#### 3. No Account Lockout
- No protection against brute force attacks
- No rate limiting on login attempts
- No account lockout after failed attempts

**Action**: Implement:
- Account lockout after 5 failed attempts
- 15-minute lockout period
- Rate limiting on login endpoint

## What Was Fixed

### New File: `php/auth/change_password.php`
- Allows users to change their password
- Validates current password before allowing change
- Enforces minimum 8-character password
- Requires password confirmation
- Hashes new password securely

## Recommended Actions

### Immediate (Critical)
1. **Change all default admin passwords** to strong, unique values
2. **Remove setup scripts** from production (already archived)
3. **Enable HTTPS** for all authentication pages
4. **Add password change page** to user profile (done)

### Short-term (Important)
1. Implement first-login password change requirement
2. Add password strength validation
3. Implement account lockout after failed attempts
4. Add login attempt logging
5. Implement session timeout (30 minutes recommended)

### Long-term (Recommended)
1. Implement two-factor authentication (2FA)
2. Add password history (prevent reuse)
3. Implement password expiration policy
4. Add security questions for password reset
5. Implement audit logging for all admin actions

## Current Admin Credentials

**IMPORTANT**: Change these immediately!

From setup scripts:
- Username: `admin`
- Password: `password` or `admin123` (depending on which script was run)

## Testing Password Security

```bash
# Test 1: Verify password hashing
SELECT Username, Password FROM users WHERE Role = 'Admin';
# Should show hashed passwords like: $2y$10$...

# Test 2: Verify password_verify works
# Login with admin account - should work if password is correct

# Test 3: Verify wrong password fails
# Try login with wrong password - should fail
```

## Database Password Verification

To verify admin password is properly hashed:

```php
<?php
require_once 'php/includes/db.php';
require_once 'php/includes/table_helper.php';

$pdo = getDBConnection();
$usersTable = getTableNameCached($pdo, 'users');

$stmt = $pdo->prepare("SELECT Username, Password FROM $usersTable WHERE Role = 'Admin'");
$stmt->execute();
$admins = $stmt->fetchAll(PDO::FETCH_ASSOC);

foreach ($admins as $admin) {
    echo "Admin: {$admin['Username']}\n";
    echo "Password Hash: {$admin['Password']}\n";
    echo "Is Hashed: " . (strpos($admin['Password'], '$2y$') === 0 ? 'YES' : 'NO') . "\n\n";
}
?>
```

## Summary

✅ **Passwords are securely hashed in database**
⚠️ **But setup scripts with default passwords are still in codebase**
⚠️ **No enforcement of password changes or strength**
⚠️ **No protection against brute force attacks**

**Action Required**: Change admin password immediately and implement additional security measures listed above.
