VB5 password hash

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mstokes
    New Member
    • Oct 2015
    • 3
    • 3.8.x
    #1

    VB5 password hash


    I am trying to update an old application that synchronised VB passwords directly in the DB with another system. It used MD5 and worked fine.

    So the application now calls the PHP function "password_hash" on the same server (so using same PHP version)
    S
    For a password of vb123 the following hash is generated by the PHP function
    $hash = password_hash($password, PASSWORD_BCRYPT, array("cost" => 10));
    $2y$10$ICYle1/IHcKyZ49vh8wNXuhMNAGL7juetlMUJkD8kkbzwipS.i78K

    For a password of vb123 the following hash is generated by VBulletin5 using the admin control panel.
    $2y$10$bvJB.hKjhP9sV74Zt8TbLeZKNiY1wCOGWpKR/A.g.uQ4mVz3YLq..

    When I check the VBulletin generated one using the PHP function "password_verify" it says it does not match.
    however the first one does (as expected)

    But only the VB one allows me to login to VBulletin and the first one does not.

    What is VB doing after the hashing that is different?
    Tags: None
    • Replicant
      Senior Member
      • Sep 2014
      • 527
      #2
      vB5 password is hashed via javascript before it is submitted using the function md5hash(). You can get the hash by opening the devtools and looking at the post submission in the network tab. This is to prevent plain text password transfers over the network. Modifying your old application to use this same md5hash function should help with synchronizing your passwords.


        Comment

        • mstokes
          New Member
          • Oct 2015
          • 3
          • 3.8.x
          #3
          Originally posted by Replicant
          vB5 password is hashed via javascript before it is submitted using the function md5hash(). You can get the hash by opening the devtools and looking at the post submission in the network tab. This is to prevent plain text password transfers over the network. Modifying your old application to use this same md5hash function should help with synchronizing your passwords.
          Thanks replicant but the version I am testing is 5.2.4 which uses the PHP BCrypt functions I mentioned above. I am using the same functions on the same server but VB still does not accept the hashed passwords it creates.

            Comment

            • Replicant
              #3.1
              Replicant commented
              Thu 20 Oct '16, 1:54pm
              Editing a comment
              Ya, I know. I was letting you know vbulletin is encrypting the javascript hashed password not the plain text one. Could be wrong though. Wouldn't be the first time.
              • Replicant
                #3.2
                Replicant commented
                Thu 20 Oct '16, 2:03pm
                Editing a comment
                Yep I'm wrong. Just checked. When you register, the registration sends plain text passwords but when you login, the browser is sending md5 hashed passwords not plain text if that helps.
              • glennrocksvb
                Former vBulletin Developer
                • Mar 2011
                • 4021
                • 5.7.X
                #4
                When you call the login api, you can pass the plain text password.

                How to log into vBulletin from an external script on your website - vBulletin Community Forum
                http://www.vbulletin.com/forum/blogs/david-grove/4327147-how-to-log-into-vbulletin-from-an-external-script-on-your-website
                When designing your website and integrating vBulletin with the rest of your site, it's often desirable to have a centralized login form for users to initiate a vBulletin session. Here are some instructions

                Flag Icon Postbit Insert GIPHY Impersonate User BETTER INITIALS AVATAR Better Name Card Quote Selected Text Bookmark Posts Post Footer Translate Stop Links in Posts +MORE!

                  Comment

                  • Replicant
                    #4.1
                    Replicant commented
                    Thu 20 Oct '16, 3:02pm
                    Editing a comment
                    Yes you can do that and would probably be the easiest to implement for the other software. But sending plain text passwords is not a good security practice. vB5 has good secure logins built in, why not use it?
                    • glennrocksvb
                      #4.2
                      glennrocksvb commented
                      Thu 20 Oct '16, 3:34pm
                      Editing a comment
                      The api is called directly/internally (not via http or something that can be intercepted) since that blog post assumed vBulletin and the external site are on the same server. But what the external site should do is it should md5 the password when submitting the login form and then on the server when calling the vB login API, it should pass the md5 password. The 3rd parameter for the login API is the md5 password.

                      Code:
                       $loginInfo = $api->callApi('user', 'login', array($_POST['username'], null, $_POST['md5password']));
                      • Replicant
                        #4.3
                        Replicant commented
                        Thu 20 Oct '16, 5:04pm
                        Editing a comment
                        In the API example login form, it is using plain text. I know it's just an example, but the info you just provided in the previous comment should probably be added to that example for education purposes in vb5 security. When you submit the example form, it is submitting plain text as written. Whether it's on the same server is irrelevant since the password is coming from a browser.
                      • mstokes
                        New Member
                        • Oct 2015
                        • 3
                        • 3.8.x
                        #5
                        Thanks to you both.
                        Once I understood what Replicant meant, I simply MD5 hashed the plain text password and then called the PHP "password_hash" function to hash that and now it logs in fine.

                          Comment

                          Previous template Next

                          Related Topics

                          Collapse
                          Working...