VB5 bcrypt hashing

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • LuckyRiver
    New Member
    • Jun 2013
    • 17
    • 5.1.x

    VB5 bcrypt hashing

    Hi,

    I need to add support vb5 to a bridge I wrote so I can have member of my community play poker.

    I've read and have some info on how vb uses the new $2y format to encrypt using blowfish, My question is do you guys uses a hardcoded salt or you let the php bcrypt library generate it.

    I need that info so I can regenerate the same thing to match the hash password stored on the database.

    I haven't tested yet but would the compatible call to the php lib will match the one stored in the database. I was playing around with this one precisely.



    For example, if I use the above lib:

    <?php

    require "lib/password.php";
    $hash = password_hash('anypassword', PASSWORD_BCRYPT);
    echo $hash;


    echo "\n";


    Would that value in $hash matches with the one stored in the user table as token field?

    I don't have problem with the old format $2a, but the new $2y looks tougher to add correct working code to support it. Guess vb will be the first to give me some challenges there!

    Any help is greatly appreciated!

    Thanks!

    /LR


  • Zachery
    Former vBulletin Support
    • Jul 2002
    • 59097

    #2
    The salt should be in the table. I believe when a new password is generated a new salt may also be generated. Look at the user table.

    Comment

    • LuckyRiver
      New Member
      • Jun 2013
      • 17
      • 5.1.x

      #3
      Originally posted by Zachery
      The salt should be in the table. I believe when a new password is generated a new salt may also be generated. Look at the user table.
      I'll double check again, You mean v5? I'm looking at latest version 5.1.18. I don't see any field name salt last time I've checked. Thx!

      Here is what I meant which I haven't been able to get a match yet
      <?php
      $blowfish_salt = bin2hex(openssl_random_pseudo_bytes(22));
      $hash = crypt('anypassword', "$2y$10$".$blowfish_salt);
      // Save the hash but no need to save the salt
      echo $hash. "\r\n";
      if (crypt('anypassword', $hash) == $hash) {
      echo 'match found'. "\r\n";
      }
      ?>

      $2y$10$dc6781e6d3a7dedf65a92OoefZns297TF2zODyrZsZqPkbIYMJSai
      mathch found
      While the above generated token is matched, the token stored in vb user table is not the same.
      So I suspect the salt must followed a particular algorithm which I can't figure out.

      I'm using bcrypt on version php > 4

      Thanks!

      Comment

      • LuckyRiver
        New Member
        • Jun 2013
        • 17
        • 5.1.x

        #4
        I finally figured out how to get the match and how VB makes the authentication harder. Clever way to do so, had to trace it badly to get it.

        Pull my hair all day on this tough one. Now, I got the correct algorithm working!

        You can mark this one as resolved. Guess $2y is the new way to go that most who adopt will need to go with and drop the $2a.

        Comment

        • LuckyRiver
          New Member
          • Jun 2013
          • 17
          • 5.1.x

          #5
          Poker for VB5 Connect (Work in progress)


          Comment

          • Zachery
            Former vBulletin Support
            • Jul 2002
            • 59097

            #6
            Sorry, I forgot that it was in another table. You found it and got it working right?

            Comment

            • LuckyRiver
              New Member
              • Jun 2013
              • 17
              • 5.1.x

              #7
              Originally posted by Zachery
              Sorry, I forgot that it was in another table. You found it and got it working right?
              There is no such thing in vb5. The salt is built in the php bcrypt function. My problem was at a different level which I was assuming wrong the way I coded it for vb5.

              My poker game is now live at test site, please drop by to test the poker game which I've just add support for vb5. You will notice that whenever you change password in vb5, the new password changes is also reflected in the game as well as when you change an avatar.

              Sign up: http://boardservice.org

              Play poker using same vb5 user/password : http://boardservice.org:8181/poker/cubeiaclassic/

              Need to bring a friend and when both sit down on same table, the game automatically starts.

              No download is required, you can play on ipad, iphone and android devices.

              Btw, it took me sometimes to get vb5 installed correctly! Man, did not know it's so difficult!

              Cheers!
              Last edited by LuckyRiver; Sun 26 Jul '15, 7:02pm. Reason: Add more info

              Comment

              • ECForum
                New Member
                • Nov 2015
                • 1

                #8
                Up up to my eyeballs trying to work this out right now and would really appreciate a snippet of what worked and/or correction to the snippet below.
                Thanks!

                $userSuppliedPassword = 'Plain Text Password';
                $hashToMatch = 'user->token Column Value';
                $options['cost'] = 10;
                $options['salt'] = 'user->secret Column Value';
                if (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $options['salt']))
                {
                $options['salt'] = str_replace('+', '.', base64_encode($options['salt']));
                }
                if ($hashToMatch == password_hash(md5($userSuppliedPassword), PASSWORD_BCRYPT, $options))
                {
                echo "Woot!<br/>\n";
                }else{
                echo "Sad Face.<br/>\n";
                }

                Comment

                Related Topics

                Collapse

                Working...