Announcement

Collapse
No announcement yet.

Changing the way vBulletin hash's user passwords

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • john.parlane
    replied
    Originally posted by Andy Huang View Post
    Please note that when storing password into database, as well as logging in and what not, the password is stored as
    Code:
    md5(md5(password) . salt)
    when setting cookies, its set as
    Code:
    vbsetcookie('password', md5(md5(md5(password) . salt) . license))
    So, when you are importing into vB, you want to make sure you only do
    Code:
    md5(nukepassword . salt)
    NOT
    Code:
    md5(md5(nukepassword . salt) . license)
    Cheers.
    I dunno if somehting has changed, but
    vbsetcookie('password', md5(md5(md5(password) . salt) . license)) is not the cookie password hash. It is:

    Code:
    vbsetcookie('password', md5(md5(md5(password) . salt) . COOKIE_SALT))
    Where COOKIE_SALT is some internally available hashed value.

    Leave a comment:


  • Blittz
    replied
    ManagerJosh:

    phpBB import script, are you referring to the impex? If so, I did try that first off, and when I gave it the info for my nuke database, and ran it, it had a blank screen (my server has php errors turned off, really makes troubleshooting hard).

    Its ok though, I've got working code now to import the users sucessfully with working passwords (tested). At this point, I'm working on getting the forums imported. I've read that I need to get them into phpbb first, then I can import them, well, I got it in phpbb, but am unable to bring them in to vBulletin. I got past step 1 (the verification part.. forgot what it was called) and at step 2.. yup you got it, another blank screen. Now I can't even get the import screen to appear.. sigh.. oh well, another late night for me comming up :P


    Alfarin:

    Yup, I already got past that part, its working just fine now, thanks.

    Leave a comment:


  • Andy Huang
    replied
    Please note that when storing password into database, as well as logging in and what not, the password is stored as
    Code:
    md5(md5(password) . salt)
    when setting cookies, its set as
    Code:
    vbsetcookie('password', md5(md5(md5(password) . salt) . license))
    So, when you are importing into vB, you want to make sure you only do
    Code:
    md5(nukepassword . salt)
    NOT
    Code:
    md5(md5(nukepassword . salt) . license)
    Cheers.

    Leave a comment:


  • ManagerJosh
    replied
    no chance the phpBB import script works for you? I've been recommending that to everyone.

    Leave a comment:


  • Blittz
    replied
    I have a working script that will import your users from phpnuke v7.5 into vBulletin v3.06. I will clean up the script, and make it available as I promised. It will probably be posted tomorrow, or sometime soon.

    Thanks for the help everyone

    Leave a comment:


  • ManagerJosh
    replied
    There was never a third MD5 hash.

    Leave a comment:


  • Blittz
    replied
    ah Hah! I got it working, the only (very minor) problem being that all my imported users will have the same salt.

    Code:
    md5($nukehash . $salt)
    That will create the new hash for vB.. yippie :P

    P.S. this is just a 2nd md5 hash of the 1st hash, not sure where they thought they needed a 3rd hash.

    Leave a comment:


  • ManagerJosh
    replied
    What's happening is the MD5 is gonna get triple hashed by that method. That's not what vBulletin does. vBulletin does a double MD5 Hash, followed by a random salt key that's included into the hashing process.

    PHPNuke is already an MD5 Hash

    so...

    PHPNuke does this:
    PHP Code:
    $password 
    where $password = One layer of MD5 Hashing

    but....vBulletin is.

    PHP Code:
    md5($password), $salt 

    Small other suggestion...try using the Impex system with the phpBB importer. Since the PHP Nuke's forums are based on phpBB, it might be easier to modify the existing importer rather than creating a new one.

    Leave a comment:


  • xmitchx
    replied
    Originally posted by Blittz
    Unless I missed something over at http://www.vbulletin.org/forum/showthread.php?t=71482 , I thought it was:
    PHP Code:
    md5(md5(md5(password) . 'salt')) . 'LicenseNo'
    If what I saw is correct, then the first md5 is of the ((password) . 'salt')) so without the original password, you won't be able to create the hash.
    I think what daemon is saying and what I'm seeing is that PHPNuke md5 hashes the passwords. so:

    md5(md5(md5(password) . 'salt')) . 'LicenseNo')


    The bold part is complete already... so just do the rest and its vB style

    Leave a comment:


  • daemon
    replied
    The hashing order you posted above is for the way the cookies are set. Did you read the whole thread, specifically post #15?

    If you wanted to convert your Nuke passwords to vB, you'd simply take Nuke's md5() of the password and run it through:

    PHP Code:
    md5(NUKE_PASSWORD SALT
    ... and store that in the database.

    Leave a comment:


  • Blittz
    replied
    Originally posted by daemon
    Yes, you could do this, however this requres custom coding. You should go to vBulletin.org for help with this.

    Note: if Nuke just stores the passwords as a single md5() then you don't need to change vB. vB stores passwords as such:

    PHP Code:
    md5(md5(PASSWORD) . SALT); 
    So all that you need to do is MD5 the single MD5 password hash from Nuke and the salt and store it.
    Unless I missed something over at http://www.vbulletin.org/forum/showthread.php?t=71482 , I thought it was:
    PHP Code:
    md5(md5(md5(password) . 'salt')) . 'LicenseNo'
    If what I saw is correct, then the first md5 is of the ((password) . 'salt')) so without the original password, you won't be able to create the hash.

    Leave a comment:


  • daemon
    replied
    Yes, you could do this, however this requres custom coding. You should go to vBulletin.org for help with this.

    Note: if Nuke just stores the passwords as a single md5() then you don't need to change vB. vB stores passwords as such:

    PHP Code:
    md5(md5(PASSWORD) . SALT); 
    So all that you need to do is MD5 the single MD5 password hash from Nuke and the salt and store it.

    Leave a comment:


  • Blittz
    started a topic Changing the way vBulletin hash's user passwords

    Changing the way vBulletin hash's user passwords

    Greetings,

    I'm a brand new vBulletin owner, and look forward to getting rid of my old php-nuke system. Now, I bet your thinking, bah, this is just another "how do I convert my data" thread, but its not (mostly).

    First off, I know that Nuke (v7.5) stores its passwords in the database as a simple MD5 hash. And I know that vBulletin (v3.06) stores its passwords using a combination of the password, a salt, your id, and 3x md5 hashes. vBulletin's way of doing this is quite secure, as decrypting something like that is a virtual impossibility.

    I am trying to write a script that will import my nuke users over to vBulletin, and while I have the code pretty much done, it will import and bring over all the data, however, the password hashes will be different.

    Finally, here is my question: Can I change vBulletin to use a simple single md5 hash (thus making my system less secure, I know) instead of the 3x md5 its using now?

    Thanks in advance for any help. Oh, and yes, if I get this working, I'll be happpy to make the script available to other vBulletin users.

Related Topics

Collapse

Working...
X