Changing the way vBulletin hash's user passwords

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Blittz
    New Member
    • Jan 2005
    • 6

    Changing the way vBulletin hash's user passwords

    Greetings,

    I'm a brand new vBulletin owner, and look forward to getting rid of my old php-nuke system. Now, I bet your thinking, bah, this is just another "how do I convert my data" thread, but its not (mostly).

    First off, I know that Nuke (v7.5) stores its passwords in the database as a simple MD5 hash. And I know that vBulletin (v3.06) stores its passwords using a combination of the password, a salt, your id, and 3x md5 hashes. vBulletin's way of doing this is quite secure, as decrypting something like that is a virtual impossibility.

    I am trying to write a script that will import my nuke users over to vBulletin, and while I have the code pretty much done, it will import and bring over all the data, however, the password hashes will be different.

    Finally, here is my question: Can I change vBulletin to use a simple single md5 hash (thus making my system less secure, I know) instead of the 3x md5 its using now?

    Thanks in advance for any help. Oh, and yes, if I get this working, I'll be happpy to make the script available to other vBulletin users.
    -DJ Blittz

    RacketRadio.com
  • daemon
    Senior Member
    • Jun 2003
    • 2351
    • 3.5.x

    #2
    Yes, you could do this, however this requres custom coding. You should go to vBulletin.org for help with this.

    Note: if Nuke just stores the passwords as a single md5() then you don't need to change vB. vB stores passwords as such:

    PHP Code:
    md5(md5(PASSWORD) . SALT); 
    So all that you need to do is MD5 the single MD5 password hash from Nuke and the salt and store it.
    Bugdar: PHP bug tracking software that is beautiful, fast, and robust.

    Comment

    • Blittz
      New Member
      • Jan 2005
      • 6

      #3
      Originally posted by daemon
      Yes, you could do this, however this requres custom coding. You should go to vBulletin.org for help with this.

      Note: if Nuke just stores the passwords as a single md5() then you don't need to change vB. vB stores passwords as such:

      PHP Code:
      md5(md5(PASSWORD) . SALT); 
      So all that you need to do is MD5 the single MD5 password hash from Nuke and the salt and store it.
      Unless I missed something over at http://www.vbulletin.org/forum/showthread.php?t=71482 , I thought it was:
      PHP Code:
      md5(md5(md5(password) . 'salt')) . 'LicenseNo'
      If what I saw is correct, then the first md5 is of the ((password) . 'salt')) so without the original password, you won't be able to create the hash.
      -DJ Blittz

      RacketRadio.com

      Comment

      • daemon
        Senior Member
        • Jun 2003
        • 2351
        • 3.5.x

        #4
        The hashing order you posted above is for the way the cookies are set. Did you read the whole thread, specifically post #15?

        If you wanted to convert your Nuke passwords to vB, you'd simply take Nuke's md5() of the password and run it through:

        PHP Code:
        md5(NUKE_PASSWORD SALT
        ... and store that in the database.
        Bugdar: PHP bug tracking software that is beautiful, fast, and robust.

        Comment

        • xmitchx
          Senior Member
          • May 2004
          • 257
          • 3.8.x

          #5
          Originally posted by Blittz
          Unless I missed something over at http://www.vbulletin.org/forum/showthread.php?t=71482 , I thought it was:
          PHP Code:
          md5(md5(md5(password) . 'salt')) . 'LicenseNo'
          If what I saw is correct, then the first md5 is of the ((password) . 'salt')) so without the original password, you won't be able to create the hash.
          I think what daemon is saying and what I'm seeing is that PHPNuke md5 hashes the passwords. so:

          md5(md5(md5(password) . 'salt')) . 'LicenseNo')


          The bold part is complete already... so just do the rest and its vB style

          Comment

          • ManagerJosh
            Senior Member
            • Jun 2002
            • 9922

            #6
            What's happening is the MD5 is gonna get triple hashed by that method. That's not what vBulletin does. vBulletin does a double MD5 Hash, followed by a random salt key that's included into the hashing process.

            PHPNuke is already an MD5 Hash

            so...

            PHPNuke does this:
            PHP Code:
            $password 
            where $password = One layer of MD5 Hashing

            but....vBulletin is.

            PHP Code:
            md5($password), $salt 

            Small other suggestion...try using the Impex system with the phpBB importer. Since the PHP Nuke's forums are based on phpBB, it might be easier to modify the existing importer rather than creating a new one.
            ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
            Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

            Comment

            • Blittz
              New Member
              • Jan 2005
              • 6

              #7
              ah Hah! I got it working, the only (very minor) problem being that all my imported users will have the same salt.

              Code:
              md5($nukehash . $salt)
              That will create the new hash for vB.. yippie :P

              P.S. this is just a 2nd md5 hash of the 1st hash, not sure where they thought they needed a 3rd hash.
              -DJ Blittz

              RacketRadio.com

              Comment

              • ManagerJosh
                Senior Member
                • Jun 2002
                • 9922

                #8
                There was never a third MD5 hash.
                ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                Comment

                • Blittz
                  New Member
                  • Jan 2005
                  • 6

                  #9
                  I have a working script that will import your users from phpnuke v7.5 into vBulletin v3.06. I will clean up the script, and make it available as I promised. It will probably be posted tomorrow, or sometime soon.

                  Thanks for the help everyone
                  -DJ Blittz

                  RacketRadio.com

                  Comment

                  • ManagerJosh
                    Senior Member
                    • Jun 2002
                    • 9922

                    #10
                    no chance the phpBB import script works for you? I've been recommending that to everyone.
                    ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
                    Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

                    Comment

                    • Andy Huang
                      Senior Member
                      • Feb 2004
                      • 4602

                      #11
                      Please note that when storing password into database, as well as logging in and what not, the password is stored as
                      Code:
                      md5(md5(password) . salt)
                      when setting cookies, its set as
                      Code:
                      vbsetcookie('password', md5(md5(md5(password) . salt) . license))
                      So, when you are importing into vB, you want to make sure you only do
                      Code:
                      md5(nukepassword . salt)
                      NOT
                      Code:
                      md5(md5(nukepassword . salt) . license)
                      Cheers.
                      Best Regards,
                      Andy Huang

                      Comment

                      • Blittz
                        New Member
                        • Jan 2005
                        • 6

                        #12
                        ManagerJosh:

                        phpBB import script, are you referring to the impex? If so, I did try that first off, and when I gave it the info for my nuke database, and ran it, it had a blank screen (my server has php errors turned off, really makes troubleshooting hard).

                        Its ok though, I've got working code now to import the users sucessfully with working passwords (tested). At this point, I'm working on getting the forums imported. I've read that I need to get them into phpbb first, then I can import them, well, I got it in phpbb, but am unable to bring them in to vBulletin. I got past step 1 (the verification part.. forgot what it was called) and at step 2.. yup you got it, another blank screen. Now I can't even get the import screen to appear.. sigh.. oh well, another late night for me comming up :P


                        Alfarin:

                        Yup, I already got past that part, its working just fine now, thanks.
                        -DJ Blittz

                        RacketRadio.com

                        Comment

                        • john.parlane
                          New Member
                          • Jan 2009
                          • 7

                          #13
                          Originally posted by Andy Huang
                          Please note that when storing password into database, as well as logging in and what not, the password is stored as
                          Code:
                          md5(md5(password) . salt)
                          when setting cookies, its set as
                          Code:
                          vbsetcookie('password', md5(md5(md5(password) . salt) . license))
                          So, when you are importing into vB, you want to make sure you only do
                          Code:
                          md5(nukepassword . salt)
                          NOT
                          Code:
                          md5(md5(nukepassword . salt) . license)
                          Cheers.
                          I dunno if somehting has changed, but
                          vbsetcookie('password', md5(md5(md5(password) . salt) . license)) is not the cookie password hash. It is:

                          Code:
                          vbsetcookie('password', md5(md5(md5(password) . salt) . COOKIE_SALT))
                          Where COOKIE_SALT is some internally available hashed value.

                          Comment

                          Related Topics

                          Collapse

                          Working...