Announcement

Collapse
No announcement yet.

MD5 hashed passwords don't seem to be working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • keef0r
    started a topic MD5 hashed passwords don't seem to be working

    MD5 hashed passwords don't seem to be working

    We are working on a Single Sign On script, where the user logs into our system, and they are automatically signed into their corresponding VBulletin account as well. We are setting their VB password as an md5 hash of some values, but it is not working. I have tried manually updating the user's password with the admin account, and I have found the following behavior:

    If I set the password to `b3c2146889e90f661ec1a24f8c463e8e` it tells me "
    You have entered an invalid username or password.
    "

    If I try `mytestpassmytestpassmytestpassmytestpass` I am able to login, and with that I was able to confirm its not a password length issue.

    If I try converting numbers in the original hash to its corresponding letter, it works: `bccbadfhhieijfffaecaabdfhcdfcehe`

    But if I replace the non hex letters with random numbers in the string above, it doesn't work: `bccbadf437e28fffaecaabdf9cdfce1e`

    Based on this behavior it seems that the VB5 system has issues trying to validate a password that is a valid md5 hash. Is this the case? Are there any work arounds?

    Any help would be much appreciated.

  • keef0r
    replied
    Originally posted by Glenn Vergara View Post
    keef0r did you see my post at #6?
    I did, thanks. We already have something implemented for logging in, which is working fine. The only issue I had was that we were automatically generating a password for the users for vbulletin (and other ancillary services) by creating a hash of some ids and timestamps (something we can generate on the fly, and not need to store). VBulletin is not handling an md5 hash as a password string, so we had to come up with a different hashing method. Python's hash() function works for us, as long as the integer returned is not negative, so we just strip out the dash if it exists.

    Leave a comment:


  • Glenn Vergara
    replied
    keef0r did you see my post at #6?

    Leave a comment:


  • keef0r
    replied
    Also, I get an error every time I try to post a reply:

    Error while saving content: SyntaxError: JSON.parse: unexpected character at line 1 column 12 of the JSON data

    Leave a comment:


  • keef0r
    replied
    Originally posted by Wayne Luke View Post


    It isn't supported!.. . Nor should it be supported in current versions of vBulletin. You cannot use a format that is not supported.
    I don't understand. Are you telling me there are password strings that aren't supported?

    thisIsmyl0ngp@$5wordString - supported
    a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6 - supported
    sometimesthebestpasswordsarejustalongsentance - supported

    b3c2146889e90f661ec1a24f8c463e8e - not supported
    bccbadf437e28fffaecaabdf9cdfce1e - not supported

    Or are you saying that the encoding of the password does not support md5 as an encoding method?

    *Edited for clarification
    Last edited by keef0r; Wed 30th Dec '15, 5:16pm.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by keef0r View Post
    Wayne Luke I get the feeling you didn't really read my post, and just gave me a canned response on how passwords are stored and how to update a password via an SQL statement, like I was locked out of my account.

    I have no problem actually setting a password. The problem arises when I use specific a password format. Is there any reason why I can't set my password (the actual password) as an md5 hash?

    It isn't supported!.. . Nor should it be supported in current versions of vBulletin. You cannot use a format that is not supported.

    Leave a comment:


  • Glenn Vergara
    replied
    Are you calling the vB user API to login to vB? The 3rd parameter of the login() method is the md5 password. You can set the 2nd parameter (the plain text password) as null.

    Code:
    $username = 'usertest';
    $password_md5 = md5('test123');
    $api = Api_InterfaceAbstract::instance();
    $loginInfo = $api->callApi('user', 'login', array($username, null, $password_md5));
    See this tutorial on how to login to vB from external script. It does not mention about md5 passwords but it may help you in developing the single sign on script.

    http://www.vbulletin.com/forum/blogs...n-your-website

    Leave a comment:


  • keef0r
    replied
    Again, I'm not talking about what VBulletin uses to store passwords, I'm talking about the actual password string. If I set my password to the following, I am unable to login with it:

    b3c2146889e90f661ec1a24f8c463e8e

    I am not talking about setting this value in the database, or using some script. I mean I literally assign the password as that string. If I set it as such, the system tells me the username or password are invalid, even though the same string is still in my clipboard from when I pasted it into the password field of the user profile in the admin section (so I know I haven't typed it in wrong, or whatever).

    However, if I set it to the following (non-md5 compliant string), I am able to login without issue:

    bccbadfhhieijfffaecaabdfhcdfcehe

    To me this seems that whatever validation the system uses to verify the authenticity of the password, is choking if it is an md5 string.

    Regardless, we moved on from using md5 and are using python's hash() function, which just returns an integer. I did however notice another issue with your password validation: if the password starts with a dash (as in a negative integer), the system throws an invalid_password_scheme error. We have circumvented this by just stripping off any proceeding dash in our generation function.

    At this point I no longer need any support, but I would still like an answer. Please let me know if I haven't been clear enough on what the actual issue is.

    Leave a comment:


  • Mark.B
    replied
    As Wayne has mentioned, vB5 doesn't use an MD5 hashed password by default. The default password scheme is a Blowfish Scheme.

    Leave a comment:


  • keef0r
    replied
    Wayne Luke I get the feeling you didn't really read my post, and just gave me a canned response on how passwords are stored and how to update a password via an SQL statement, like I was locked out of my account.

    I have no problem actually setting a password. The problem arises when I use specific a password format. Is there any reason why I can't set my password (the actual password) as an md5 hash?

    Leave a comment:


  • Wayne Luke
    replied
    As of vBulletin 5.1.0, we don't use an MD5 hashed password by default. The default password scheme is a Blowfish Scheme. Please see the 5.1.0 Release Candidate release announcement for more information. http://www.vbulletin.com/forum/forum...ate-1-released

    You should be able to assign a temporary password using this query:
    Code:
     UPDATE vb_user AS user 
    SET token = concat(MD5(concat(MD5('pass1234'), user.token)),' ', user.token), scheme = 'legacy' 
    WHERE userid = 1;
    You would have to change the prefix to match yours as well as the password (pass1234) and userid. Once they change their password using the system it will be converted back to the Blowfish storage scheme. The Blowfish scheme is more secure and takes more time to brute force than an MD5 storage scheme. The legacy or MD5 scheme may be removed completely in the future.

    Leave a comment:

Related Topics

Collapse

Working...
X