Announcement

Collapse
No announcement yet.

[Release] MD5 Encrypted Passwords

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Release] MD5 Encrypted Passwords

    Being an old-fashioned sysadmin, I feel better in the mornings if I cannot view my user's passwords.

    After installing vBulletin, I was disturbed to find that passwords were stored in cleartext. So, I made a couple of modifications, to ensure that only MD5 encrypted passwords were stored in the database.

    I didn't think much of it at the time, I was sure someone had released a hack already. When browsing the VB forums, however, I found that a lot of people wanted a solution like mine.

    The main issue of concern seemed to be "But now the lost-password function won't work!"

    I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.

    I chose MD5 because I'm fond of the concept of "one-way" encryption.

    Now, no admin can see a member's password. :-)

    Enjoy!

    (Instructions, and a database-update script are included in the .zip file at http://www.coffeeintherain.com/scripts/md5_hack.zip )
    CoffeeMugDude
    New Member
    Last edited by CoffeeMugDude; Sun 29 Jul '01, 10:38am.

  • #2
    Though I have not installed it yet, just looking through the code and the installation instructions, it appears to be very well done!

    You are a class act CoffeeMugDude.

    Thank you!

    -t
    thewitt
    Senior Member
    Last edited by thewitt; Sun 29 Jul '01, 10:54am.
    Tim Hewitt
    myOstrich Internet - Domain Management & Internet Services
    myOstrich Golf - When it comes to golf, we don't have our heads in the sand.

    Comment


    • #3
      Oops

      Oops, I thought I had posted this in the VB2 hacks forum

      BTW, thanks thewitt!

      Comment


      • #4
        Hi there,

        yes, looks really clean & nice - very impressive!
        Will install it asap the next days,

        Thanks a bunch!
        -Tom
        www.MCSEboard.de
        German Windows Server & IT Pro Community dedicated to Windows Client & Server Systems. MVPs inside

        Comment


        • #5
          Little mistake?

          The changes in admin/session.php line 109 must be changed in your instructions.htm.

          Then it's working fine for me.
          this is my sig

          Comment


          • #6
            Written by CoffeeMugDude
            I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.
            After reading through your first sentences this was my first worry....And you nailed it....this sounds awesome!

            Although I find it very helpful at times when dealing with the users to have their password visible for certain situations. Like testing their account as them etc.
            PaintballCity.com
            VB Board of the Month: October

            Comment


            • #7
              Another one.

              In member.php the whole "start update password" routine isn't handled.

              Find
              Code:
              // validate old password
                if ($currentpassword!=$bbuserinfo[password]) {
              and replace it with
              Code:
              // validate old password
                if (md5($currentpassword)!=$bbuserinfo[password]) {
              Then find
              Code:
              $DB_site->query("UPDATE user SET password='".addslashes($newpassword)."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");
              and replace it with
              Code:
              $DB_site->query("UPDATE user SET password='".addslashes(md5($newpassword))."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");
              this is my sig

              Comment


              • #8
                ok first thanks for this hack, it totally rocks, and should be in vbulletin as a default feature, not hack...
                i got it working now (i hope) but it took some screwing around... so i'm just putting what i did here so others can do the same:

                1) do not edit the file sessions.php until AFTER you have run the update password script - you won't be able to log in to run the script if you do...

                2) the file encrypt_all_passwords.php is messed up and will crash - search for "$DB_site_new" and replace with "$DB_site" before you run it...

                3) the 2nd step of modifying admin/sessions.php is backwards - search for the 2nd part, and replace with the first!

                4) the very last editing step says search for something and there is a '{' at the end... it shouldn't be there!!

                5) ignore all line numbers - they refer to vbb 2.0.1!

                6) do what Pogo says right above my post... he probably knows what he's talking about (but why didn't he complain about the encrypt_all_passwords.php file?)

                now im gonna go see if my forum works still... i'll be back to whine and complain if it doesn't...
                creamy
                New Member
                Last edited by creamy; Fri 17 Aug '01, 2:40am.

                Comment


                • #9
                  btw this hack seems better than the other encrypting one - i don't see why i would want to give ppl the choice of having their password in plaintext...

                  Comment


                  • #10
                    hmm
                    i made some more mistakes... don't do this:

                    when doing the first edit, don't take the first search match - you want to take the one at about line 115, in the "email a lost password" section (or whatever it is)

                    and its still not working 100% so i'll edit this later with more info

                    Comment


                    • #11
                      HELP!!

                      um, i can't fix the last part on my own... maybe someone who knows php can help

                      when you tell it to mail you a password, its supposed to generate one from a list of words and mail that one and store it in the database. it's getting stuck on the easy part - opening the list of words.
                      the instructions say:
                      Save the files "ppassgen.php", "encrypt_all_passwords.php", and "words.txt" to your VB "admin" directory.

                      You can use any word list to generate your random passwords, I used my system's /usr/dict/words. Just be sure to save your wordlist to "words.txt" in your "admin" directory.
                      well i did that, and i checked the chmod incase it matters, but even at 777 it doesn't work. i get this error instead:

                      Code:
                      Warning: fopen("words.txt","r") - No such file or directory in /home/mod-chi/public_html/admin/ppassgen.php on line 29
                      
                      Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 37
                      
                      Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 38
                      
                      Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 37
                      
                      Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 38
                      (repeating forever)
                      the code in the first part of ppassgen.php is:

                      Code:
                      <?
                      /* 
                       * function ppassgen() 
                       * parameters: 
                       * $words = the name of the file w/ the words (one per line) 
                       *      or and array of words 
                       * $min = the minimum number of words per password 
                       * $max = the maximum number of words per password 
                       * $cutoff = the minimum number of characters per word 
                       * $sep = separator for the words in the password 
                       */ 
                      
                      function ppassgen($words= "words.txt", $min=2, $max=4, $cutoff=5, $sep= "_") { 
                      
                      	
                      		// This is here for cases when we email a password from the admin control panel
                      
                      
                          if(is_array($words)) { 
                              /* if we have passed and array of words, use it */ 
                              $word_arr =  "words"; 
                               /* 
                              while(list($k,$v) = each(${$word_arr})) { 
                                  echo "$k $v<BR>"; 
                              } 
                              */ 
                          } else { 
                              /* read the external file into an array */ 
                              $fp = fopen($words, "r");      <---------------------------- LINE 29
                      
                              if (!fp) { 
                                  echo  "[ERROR}: Could not open file $words<BR>\n"; 
                                  exit; 
                              } else { 
                                  /* assuming words of up to 127 characters */ 
                                  $word_arr =  "ext_arr"; 
                                  while(!feof($fp)) {             <---------------------------- LINE 37
                                      $tword = trim(fgets($fp,128)); <------------------- LINE 38
                      
                      
                                      /* check for minimum length and for exclusion of numbers */ 
                                      if ((strlen($tword) >= $cut_off) && !ereg( "[0-9]",$tword)) { 
                                          $ext_arr[] = strtolower($tword); 
                                      } 
                                  } 
                                  fclose($fp); 
                              } 
                          }

                      i already tried the following:
                      not putting quotes around the filename
                      putting a full path to the words.txt
                      putting a relative path to words.txt

                      with no success....

                      Comment


                      • #12
                        The full path works fine for me
                        Code:
                        function ppassgen($words= "/full/path/to/words.txt", $min=2, $max=4, $cutoff=5, $sep= "_") {
                        Yeah, I should have complained about the wrong encrypt_all_pass... file.
                        And don't forget to check the mod panel index.php. I think you have to modify something there too.
                        this is my sig

                        Comment


                        • #13
                          hmm
                          i might not have put /users/ or whatever at the start of my path, i'll try again...
                          you know what's the most annoying? this file has code in it to detect if the file open failed, but it's not working

                          Comment


                          • #14
                            yeah the absolute path to the file works fine...
                            only problem i have now is when i go to the control panel i have to log in again... dunno if i'm smart enough to figure whats wrong (cookie problem?)
                            i hope the vbulletin dudes put this in the code soon, i hate hacking my board!

                            Comment


                            • #15
                              does this work with vb 2.0.3 ?

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X