Announcement

Collapse
No announcement yet.

Changing the way vBulletin hash's user passwords

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Changing the way vBulletin hash's user passwords

    Greetings,

    I'm a brand new vBulletin owner, and look forward to getting rid of my old php-nuke system. Now, I bet your thinking, bah, this is just another "how do I convert my data" thread, but its not (mostly).

    First off, I know that Nuke (v7.5) stores its passwords in the database as a simple MD5 hash. And I know that vBulletin (v3.06) stores its passwords using a combination of the password, a salt, your id, and 3x md5 hashes. vBulletin's way of doing this is quite secure, as decrypting something like that is a virtual impossibility.

    I am trying to write a script that will import my nuke users over to vBulletin, and while I have the code pretty much done, it will import and bring over all the data, however, the password hashes will be different.

    Finally, here is my question: Can I change vBulletin to use a simple single md5 hash (thus making my system less secure, I know) instead of the 3x md5 its using now?

    Thanks in advance for any help. Oh, and yes, if I get this working, I'll be happpy to make the script available to other vBulletin users.
    -DJ Blittz

    RacketRadio.com

  • #2
    Yes, you could do this, however this requres custom coding. You should go to vBulletin.org for help with this.

    Note: if Nuke just stores the passwords as a single md5() then you don't need to change vB. vB stores passwords as such:

    PHP Code:
    md5(md5(PASSWORD) . SALT); 
    So all that you need to do is MD5 the single MD5 password hash from Nuke and the salt and store it.
    Bugdar: PHP bug tracking software that is beautiful, fast, and robust.

    Comment


    • #3
      Originally posted by daemon
      Yes, you could do this, however this requres custom coding. You should go to vBulletin.org for help with this.

      Note: if Nuke just stores the passwords as a single md5() then you don't need to change vB. vB stores passwords as such:

      PHP Code:
      md5(md5(PASSWORD) . SALT); 
      So all that you need to do is MD5 the single MD5 password hash from Nuke and the salt and store it.
      Unless I missed something over at http://www.vbulletin.org/forum/showthread.php?t=71482 , I thought it was:
      PHP Code:
      md5(md5(md5(password) . 'salt')) . 'LicenseNo'
      If what I saw is correct, then the first md5 is of the ((password) . 'salt')) so without the original password, you won't be able to create the hash.
      -DJ Blittz

      RacketRadio.com

      Comment


      • #4
        The hashing order you posted above is for the way the cookies are set. Did you read the whole thread, specifically post #15?

        If you wanted to convert your Nuke passwords to vB, you'd simply take Nuke's md5() of the password and run it through:

        PHP Code:
        md5(NUKE_PASSWORD SALT
        ... and store that in the database.
        Bugdar: PHP bug tracking software that is beautiful, fast, and robust.

        Comment


        • #5
          Originally posted by Blittz
          Unless I missed something over at http://www.vbulletin.org/forum/showthread.php?t=71482 , I thought it was:
          PHP Code:
          md5(md5(md5(password) . 'salt')) . 'LicenseNo'
          If what I saw is correct, then the first md5 is of the ((password) . 'salt')) so without the original password, you won't be able to create the hash.
          I think what daemon is saying and what I'm seeing is that PHPNuke md5 hashes the passwords. so:

          md5(md5(md5(password) . 'salt')) . 'LicenseNo')


          The bold part is complete already... so just do the rest and its vB style

          Comment


          • #6
            What's happening is the MD5 is gonna get triple hashed by that method. That's not what vBulletin does. vBulletin does a double MD5 Hash, followed by a random salt key that's included into the hashing process.

            PHPNuke is already an MD5 Hash

            so...

            PHPNuke does this:
            PHP Code:
            $password 
            where $password = One layer of MD5 Hashing

            but....vBulletin is.

            PHP Code:
            md5($password), $salt 

            Small other suggestion...try using the Impex system with the phpBB importer. Since the PHP Nuke's forums are based on phpBB, it might be easier to modify the existing importer rather than creating a new one.
            ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
            Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

            Comment


            • #7
              ah Hah! I got it working, the only (very minor) problem being that all my imported users will have the same salt.

              Code:
              md5($nukehash . $salt)
              That will create the new hash for vB.. yippie :P

              P.S. this is just a 2nd md5 hash of the 1st hash, not sure where they thought they needed a 3rd hash.
              -DJ Blittz

              RacketRadio.com

              Comment


              • #8
                There was never a third MD5 hash.
                ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                Comment


                • #9
                  I have a working script that will import your users from phpnuke v7.5 into vBulletin v3.06. I will clean up the script, and make it available as I promised. It will probably be posted tomorrow, or sometime soon.

                  Thanks for the help everyone
                  -DJ Blittz

                  RacketRadio.com

                  Comment


                  • #10
                    no chance the phpBB import script works for you? I've been recommending that to everyone.
                    ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                    Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                    Comment


                    • #11
                      Please note that when storing password into database, as well as logging in and what not, the password is stored as
                      Code:
                      md5(md5(password) . salt)
                      when setting cookies, its set as
                      Code:
                      vbsetcookie('password', md5(md5(md5(password) . salt) . license))
                      So, when you are importing into vB, you want to make sure you only do
                      Code:
                      md5(nukepassword . salt)
                      NOT
                      Code:
                      md5(md5(nukepassword . salt) . license)
                      Cheers.
                      Best Regards,
                      Andy Huang

                      Comment


                      • #12
                        ManagerJosh:

                        phpBB import script, are you referring to the impex? If so, I did try that first off, and when I gave it the info for my nuke database, and ran it, it had a blank screen (my server has php errors turned off, really makes troubleshooting hard).

                        Its ok though, I've got working code now to import the users sucessfully with working passwords (tested). At this point, I'm working on getting the forums imported. I've read that I need to get them into phpbb first, then I can import them, well, I got it in phpbb, but am unable to bring them in to vBulletin. I got past step 1 (the verification part.. forgot what it was called) and at step 2.. yup you got it, another blank screen. Now I can't even get the import screen to appear.. sigh.. oh well, another late night for me comming up :P


                        Alfarin:

                        Yup, I already got past that part, its working just fine now, thanks.
                        -DJ Blittz

                        RacketRadio.com

                        Comment


                        • #13
                          Originally posted by Andy Huang View Post
                          Please note that when storing password into database, as well as logging in and what not, the password is stored as
                          Code:
                          md5(md5(password) . salt)
                          when setting cookies, its set as
                          Code:
                          vbsetcookie('password', md5(md5(md5(password) . salt) . license))
                          So, when you are importing into vB, you want to make sure you only do
                          Code:
                          md5(nukepassword . salt)
                          NOT
                          Code:
                          md5(md5(nukepassword . salt) . license)
                          Cheers.
                          I dunno if somehting has changed, but
                          vbsetcookie('password', md5(md5(md5(password) . salt) . license)) is not the cookie password hash. It is:

                          Code:
                          vbsetcookie('password', md5(md5(md5(password) . salt) . COOKIE_SALT))
                          Where COOKIE_SALT is some internally available hashed value.

                          Comment

                          Related Topics

                          Collapse

                          Working...
                          X