Announcement

Collapse
No announcement yet.

Encryption method of password

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Homeworld'sa
    replied
    Slightly old thread this is.
    If you are using vB4, then the syntax may have changed. Depends on your vB version really, but you should use the support forum.

    Leave a comment:


  • john.parlane
    replied
    Originally posted by Wayne Luke View Post
    It is stored in the database as md5(md5($password) + $salt).

    The cookies that contains the password stored on the user's PC is:

    md5(md5(md5($password) + $salt) + COOKIE_SALT)

    COOKIE_SALT is the license ID of the software.
    This doesnt work, took me a while to work it out but COOKIE_SALT is NOT the license ID of the software at all. It's not the VBFxxxxxxx value that you want. COOKIE_SALT is some internally generated hash value in vBulletin that you access literally as COOKIE_SALT. From class_core.php:

    Code:
    if (md5($userinfo['password'] . COOKIE_SALT) == $password)
    is the line that checks your password when you login.
    $password is the from the cookie, $userinfo['password'] is from the db user.password

    Leave a comment:


  • john.parlane
    replied
    Originally posted by Wayne Luke View Post
    It is stored in the database as md5(md5($password) + $salt).

    The cookies that contains the password stored on the user's PC is:

    md5(md5(md5($password) + $salt) + COOKIE_SALT)

    COOKIE_SALT is the license ID of the software.
    Really hoping somebody can help me out here, thi is the final piece of a puzzle I've been working on for a few days now.

    I need to generate the cookie password from the database password so I can set the cookie. This is so I can fix the LDAP authentication plugin here http://www.vbulletin.org/forum/showthread.php?t=196596 which is not setting the cookie bbpassword when it sets user passwords, so its not obeying the 'remember me' tick box

    As is stated by Wayne earlier in this thread (and many others) the cookie password is derived as follows:

    Originally posted by Wayne Luke View Post

    md5(md5(md5($password) + $salt) + COOKIE_SALT)

    COOKIE_SALT is the license ID of the software.
    However when I code this, I do not get the same hashed value as what is stored in the cookie. Note that I can successfully generate the user.password hash as stored in the db with md5(md5($password) + $salt.

    The code I am using is very simply:

    <?php
    $calc_db_pwd = md5(md5($cleartext_password) . $salt_from_user_table);
    echo 'calc_db_pwd: ' . $calc_db_pwd . '<br>';
    $calc_cookie_pwd = md5(md5(md5($cleartext_password) . $salt_from_user_table).'VBF*******');
    echo 'calc cookie bbpassword: ' . $calc_cookie_pwd . '<br>';
    ?>
    The VBF******* value is obviously starred out, but I have taken this from our license, and cross checked it againast the value at the top of all the .php vbull code.

    But the $calc_cookie_pwd produced does not match the bbpassword in the cookie.

    I'm really stumped here, as I'm doing exactly what has been documented but no go.

    Any help welcome!
    Last edited by john.parlane; Wed 28 Apr '10, 8:06pm.

    Leave a comment:


  • Andreas
    replied
    Originally posted by FreshFroot_ View Post
    Like I said earlier... EVERYTHING is crackable.

    Believe what you want....... I never said it was easy, but it IS possible.
    As already pointed out - you don't seem to know what you are talking about

    Let's say you got an unsalted MD5 Hash c6b2fe88912770fc6f2db71f58c7d251 - what's the password that generated this hash?

    To make it a bit easier for you, i've attached 2 different files with possible passwords.

    You can verify that with
    Code:
    fc password1.bin password2.bin
    on Windows.

    Afterwards, calculate the MD5-Hash of both files using http://www.pc-tools.net/win32/md5sums and tell me if my password was password1.bin.

    If you can: Congratulations, you've proven me wrong.
    Attached Files

    Leave a comment:


  • Jobe1986
    replied
    A hash is NOT crackable, all you can do is find a string of data that results in the same hash, which is far from anything REMOTELY like cracking a hash. So I think you'll find you are misinformed as to what a hash really is if you think you can reverse it. Simply put you CANT reverse a hash, you can only rehash the same data and get the same hash.

    As for vB hashes, when trying to break those, you have to start with a password (randomly or sequentially generated), md5 hash it, then generate a random/sequetial salt, and then hash again BEFORE you can compare with the password hash from the DB. You cant, without going through all that OVER and OVER again get a password from the hash without hashing data repeatedly. Additionally, you need to know the salt that was actually used in the password hash to actually be able to find the real password or a string that would be a suitable substitute.

    Now I think this argument has gone on long enough.

    Leave a comment:


  • FreshFroot_
    replied
    Originally posted by Jobe1986 View Post
    The key point to your argument is "encryption". MD5, SHA1 etc... are NOT encryption, they are hash algorithms. Designed to be irreversable. The ONLY way to find out what produces a hash the same is to repeatedly hash strings of data until you get the same result. You cannot otherwise undo the mathematical operation and get the exact string used. Now if you're trying to find what values make a simple hash then that wont take so long, but with vBulletin hashes you need to find out the salt too, which makes the job of finding a pattern that matches a hell of a lot harder, because with the salt, you have to find a salt, that when applied to the same password as the salt in the DB, will produce the SAME hash.
    Like I said earlier... EVERYTHING is crackable.

    Believe what you want....... I never said it was easy, but it IS possible.

    Leave a comment:


  • BSchmits78
    replied
    I'm building a comment system for our newspages and I want to use the same username/password combination as our forum uses. Everything is set to go, the only thing I need to do is encrypt the password so it will be the same as the encrypted password in the database. Does anybody know how to do that?

    Thanks,
    Barry
    Wakeboarden.org

    Leave a comment:


  • DelphiVillage
    replied
    Originally posted by Andreas View Post
    I am sorry, but this is just wrong.

    Hashing != Encrypting

    You can't "decrypt" a hash, never.
    You can, of course, find colissions (eg. strings that produce the hash you are after), but you'll never know if the string you found was actually the password .
    Andreas is right folks ...you won't know if a string you found was actually the password you where after...

    Leave a comment:


  • Andreas
    replied
    Originally posted by FreshFroot_ View Post
    You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible.
    I am sorry, but this is just wrong.

    Hashing != Encrypting

    You can't "decrypt" a hash, never.
    You can, of course, find colissions (eg. strings that produce the hash you are after), but you'll never know if the string you found was actually the password.

    Leave a comment:


  • Jobe1986
    replied
    Originally posted by FreshFroot_ View Post
    You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible. I know our Comp classes we looked over this issue and worked out methods.

    So it is NOT impossible. However, unless someone has LOTS of time or is bored. I don't see any use of it. Your better at guessing someone's password than going through with this method.
    The key point to your argument is "encryption". MD5, SHA1 etc... are NOT encryption, they are hash algorithms. Designed to be irreversable. The ONLY way to find out what produces a hash the same is to repeatedly hash strings of data until you get the same result. You cannot otherwise undo the mathematical operation and get the exact string used. Now if you're trying to find what values make a simple hash then that wont take so long, but with vBulletin hashes you need to find out the salt too, which makes the job of finding a pattern that matches a hell of a lot harder, because with the salt, you have to find a salt, that when applied to the same password as the salt in the DB, will produce the SAME hash.

    Leave a comment:


  • FreshFroot_
    replied
    Originally posted by Jobe1986 View Post
    Sorry to split hairs here, but it is impossible to reverse the has, it is not however impossible to guess password and salt combinations, but to go through all the possible combinations just for one hash, could potentially take years. If you find out what the salt for that user is, eg via compromised DB you're half way there, but you'll still have a long time to match including the salt.
    You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible. I know our Comp classes we looked over this issue and worked out methods.

    So it is NOT impossible. However, unless someone has LOTS of time or is bored. I don't see any use of it. Your better at guessing someone's password than going through with this method.

    Leave a comment:


  • maplr4ever
    replied
    password

    If you actually want to view your users passwords, simply edit out all the encryptions.

    but then you would have to have a really strong security system on your server so that it doesn't get compromised.

    I have my server and database on the same LAN, with the server on a static ip and the database not internet accessible, and connect the server to the database. and then the database has like $500/year worth of encryption software and security software. (its worth it to learn your users passwords :P)

    Leave a comment:


  • Wayne Luke
    replied
    Yes.

    Leave a comment:


  • James Birkett
    replied
    Thanks wayne! That helped me understand
    So the database:
    Md5's password first.
    Then it md5's the password (again) and the salt.

    For the cookie:
    md5's password first.
    md5's the password (again) and the salt.
    md5's the hash of above step + license ID?

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by James Birkett View Post
    Doesn't vBulletin use a triple hash?
    I'm sure I read somewhere they md5 it more than once? Something along the lines of:
    PHP Code:
    md5(md5(md5($password $salt))) 
    I could be wrong - I think I read it somewhere though.
    It is stored in the database as md5(md5($password) + $salt).

    The cookies that contains the password stored on the user's PC is:

    md5(md5(md5($password) + $salt) + COOKIE_SALT)

    COOKIE_SALT is the license ID of the software.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X