VB4 Password Hash Encryption

**Zachery** · Mon 25 Apr '11, 9:08am

We don't encrypt passwords, we hash them. its something like md5 (md5(password)salt).

**danswano** · Mon 25 Apr '11, 9:13am

Originally posted by Zachery

We don't encrypt passwords, we hash them. its something like md5 (md5(password)salt).

Yes i meant hashing sorry, are you sure it's md5 (md5(password)salt) ? i want to make a test.

**Zachery** · Mon 25 Apr '11, 9:42am

vBulletin.org would be the better place to ask, once you purchase the license you would have access to the files and the schema to test it. You really cannot test it without having access to a test password hashed and the users salt.

**danswano** · Mon 25 Apr '11, 9:44am

So you can't tell me about the exact hashing method?

**Reeve of Shinra** · Mon 25 Apr '11, 10:18am

The hashing method is pretty much as Zachery stated it however the salt is unique per user id.

**danswano** · Mon 25 Apr '11, 10:21am

Thanks for the reply.
Although the salt is unique per user id will i be able to read the password hash from my external script or it's impossible?

**Zachery** · Mon 25 Apr '11, 10:26am

If you can query the database, you can do it.

**danswano** · Mon 25 Apr '11, 10:33am

The script is using mysqltcl to access the database

set check_pass [md5 $get_pass]

set find_it [::mysql::connect -host $reqs::sett::db_host -port $reqs::sett::db_port -user $reqs::sett::db_username -password $reqs::sett::db_password -db $reqs::sett::db_name];
set it_find [::mysql::sel $find_it "SELECT $reqs::sett::db_user,$reqs::sett::db_pass FROM $reqs::sett::db_table WHERE $reqs::sett::db_user = '$check_nick' AND $reqs::sett::db_pass = '$check_pass'" -flatlist];
::mysql::endquery $find_it
::mysql::close $find_it

a friend of mine generated some vbulletin hashed password and gave me the .sql file for testing but till now i couldn't read the hashed password from my script

what should i replace md5 here set check_pass [md5 $get_pass] to be able to read the vbulletin hashed password? i hope you can help me because i desperately need to move into vbulletin.

**Steve Machol** · Mon 25 Apr '11, 10:44am

You cannot read hashed passwords.

**danswano** · Mon 25 Apr '11, 10:46am

but normal md5 hash works for me why salted md5 won't?

**feldon23** · Tue 26 Apr '11, 8:22am

You can't "read" a vBulletin password. You can only compare it to see that it is identical to the one provided by the user by session or cookie.

Your best bet is to store the hashed password in your non-vBulletin script and just make sure everything matches by doing the same md5/salt/etc. gymnastics that vBulletin does. If the user isn't logged in, I'd just redirect them to the vBulletin login (there isn't an actual login screen for vBulletin, an annoying oversight, but you can point to a page that guests do not have access to).

**danswano** · Tue 26 Apr '11, 9:47am

The script writer is not supporting the code anymore and i'm not that pro in coding also the script is not accessible from a web page, it's a tcl scripts in IRC server allows you to login to IRC and grant privileges in the IRC server using the forum password but passwords in vbulletin are different, i can't figure out how i can let the script compare the password field and salt together, the scripts is pretty short and simple but i can't recode, if i paste it here can you take a look at it and see if you can help me writing the right sequence to let the script compare the password to the user input?

Thanks

**Steve Machol** · Tue 26 Apr '11, 11:40am

This is no longer a Pre-sales question. We cannot help with a custom script, and particularly anything that is designed to work on vB passwords.

**danswano** · Tue 26 Apr '11, 11:51am

i can't switch to vbulletin if this script didn't work for me or i will be stuck with a useless software but i wish to switch.

VB4 Password Hash Encryption

VB4 Password Hash Encryption

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment