Announcement

Collapse
No announcement yet.

vBulletin or not vBulletin, that's the question

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by Discussions View Post
    If IPB can convert vBulletin to IPB and not lose user passwords, if MyBB can do the same, then theoretically changing how the password is encrypted might be a good idea.
    How is a good idea to require the existing millions of vBulletin users around the world to reset their passwords to match the hatching scheme of a competitor? It isn't very realistic. We cannot unhash the passwords and then rehash them in another method.

    What would be a better idea is redoing the login system. That way it wouldn't care what the hashing scheme is but instead stores passwords to a scheme determined by the administrator during the setup of the product. This could be done by specifying a hash or through provided plugins. It would also increase security because hackers wouldn't be able to tell what scheme is used at a glance. However it is not a trivial change and would be relegated to a major version if it was undertaken.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment


    • #32
      Originally posted by Wayne Luke View Post
      How is a good idea to require the existing millions of vBulletin users around the world to reset their passwords to match the hatching scheme of a competitor? It isn't very realistic. We cannot unhash the passwords and then rehash them in another method.
      I would imagine that once a person upgrades to the latest vbulletin, that there would be a built in importer that would automatically convert the old hashed passwords into the new hash style for the password system. Isn't that what IPB does to the vBulletin passwords? Convert the vBulletin hashed passwords into IPB hashed passwords?

      Sounds like it would be possible. But I am not a coder, so what do I know.


      Originally posted by Wayne Luke View Post
      What would be a better idea is redoing the login system. That way it wouldn't care what the hashing scheme is but instead stores passwords to a scheme determined by the administrator during the setup of the product. This could be done by specifying a hash or through provided plugins. It would also increase security because hackers wouldn't be able to tell what scheme is used at a glance. However it is not a trivial change and would be relegated to a major version if it was undertaken.
      That sounds good. Anything that would help another administrator even a littler bit is always going in the right direction. I have known several forums that have lost a majority of users when they upgraded to vBulletin, all due to the fact that the passwords were not automatically imported. To some users, resetting a password is too much trouble and while that may sound ridiculous to most of us - there are forum users out there which think in that way.

      Comment


      • #33
        I'll make it simple. You can't unhash.

        Comment


        • #34
          Originally posted by Discussions View Post
          I would imagine that once a person upgrades to the latest vbulletin, that there would be a built in importer that would automatically convert the old hashed passwords into the new hash style for the password system.
          This isn't possible. If it was, then we would use this technique to convert IPB passwords today. HASH is a one-way street. Once something is hashed the original value is lost and not recoverable. Not only that but we don't even know what the original value even resembled or how long it was because each password is hashed once but not twice.

          But let me explain it in a different way here. A new user registers and they choose the word 'laskjd3904jslkdj' as their password. We take that input and put it into a function called MD5(). That function returns a 32-byte string that is '15ae500e8c7b4d166a3dfa350194f827'. We throw the original away because keeping it is a security risk. Now we don't stop there. We generate a random three digit string called a salt. So lets say the system generates '&j1' as this user's salt. So we take that and add it to the MD5 hash from above and get '15ae500e8c7b4d166a3dfa350194f827&j1' and throw away the original MD5 hash. It also is a security risk because people can create what are called rainbow tables to look up what strings match what MD5 hashes. So we take our 35 byte string above and run it through MD5 again and get the following 32 byte hash, '5a218bceac9f14c2e85a43822eb14679'. This final hash is what we store. This is also why you can't retrieve your password and can only reset it.

          I could make a 50 character password and it will end up as a 32 byte hash. I could make a 3 digit password and it will end up as a 32 byte hash. I can take a 2 gigabyte file and run it through MD5() and get a 32 byte hash. In fact this is how Suspect File Versions works. It creates a hash for every file that is then stored in an array to be verified against. The original values are always lost. There is no way to unhash it.

          To change what is stored, we can only add additional hashing steps using MD5() or a comparable function like SHA1() to the existing hashes.

          Isn't that what IPB does to the vBulletin passwords? Convert the vBulletin hashed passwords into IPB hashed passwords?
          I don't know how IPB does it... There are two possibilities. 1) Their hash is created just by applying additional steps to the hashes vBulletin already created. 2) They have some sort of mechanism that tells IPB to use our hashing scheme after an import instead of their internal one (what I outlined above by the way).

          What I do know is they deliberately changed their hashing scheme to prevent us from importing their passwords. Probably to stop people from converting but we still get many converting every month.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment


          • #35
            I follow both vb and ipb (I do a lot of custom PHP side projects for people that like to integrate with forums), and found myself compelled to register just to reply to this thread.

            Basically, IPB does what you outlined in #2 Wayne. They have different login mechanisms the user can enable (the default one, an LDAP one, and a third-party database integration one for example). When you convert to IPB, the importer adds a new login mechanism that utilizes the previous software's login routine.

            So for example you convert from vb to ipb, it retains the vb login information (password hash and salt). When the user logs in, it's run through vb's password checking mechanism to see if it's correct. If so, the submitted password is correct, it's run through IPB's routines and stored as an IPB password.

            Comment


            • #36
              Hi all,

              I just noticed my topic started a live on its own(haven't checked it for a few weeks).

              I see that there are some problems with converting to Vbb from Smf. I don't mind doing some tweaking, but I do like to know if it will be a nightmare of just some light tweaking.

              Also, I didn't really follow the hash discussion. What does this mean? If I import from SMF my members can't do anything untill they? Reset their own password?

              Can the admin reset passwords? Can it be automated?

              Are there any other problems? I don't want to lose my 70k posts in the migration....

              Thanks for your input.

              ~Alpha
              Alphagamer - The place to talk about computergames!!

              Comment


              • #37
                Basically, the passwords can't be converted. Your users will need to request a new password before they can log in.

                What you can do as an admin is send out an email to all your users, with a link so that users can reset their passwords easily.
                Best Regards
                Colin Frei

                Please don't contact me per PM.

                Comment


                • #38
                  Hello

                  First, sry for my bad english.

                  I have some problems with coverting from SMF 1.1.4 to vBulletin 3.6.8.
                  Statistic of members on board index is OK.But, when i go to "Member List" i have only 1 user.Can I fix this problem?This pictures are going to show my problem



                  Comment


                  • #39
                    Originally posted by RaZoRpEtKo View Post
                    Hello

                    First, sry for my bad english.

                    I have some problems with coverting from SMF 1.1.4 to vBulletin 3.6.8.
                    To get vB support on these forums you first need to be a licensed customer and register for Priority Forum Support. To do this, please go here:

                    http://members.vbulletin.com/membersupport_priority.php

                    ...and enter your email address in one of the boxes. You'll need to have your customer number and password to access the page.

                    Once you've done this, please post in the appropriate support forum for your version.
                    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                    Change CKEditor Colors to Match Style (for 4.1.4 and above)

                    Steve Machol Photography


                    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                    Comment

                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                    Working...
                    X