1 (edited by forzaferrari 2005-04-07 21:16)

Topic: Problem with MD5 passwords in MySQL database

Hi all!

I have a very weird problem which I hope some of you can help me solve. Here's the thing:

I've set up my own php-based news-website to use the "forum_users" table of PunBB when authenticating users before they can react to news-items on the news-website. This way, I combine both things and have some kind of community feeling to the whole thing.

Anyway, I noticed some strange behavior of the MySQL database when handling the passwords in MD5 encryption. It seems that after a short while they change from one MD5 hash value to another, causing my website visitors to be unable to log in while they are still able to access the forum itself.

I manually changed my own password for example just half an hour ago to a value of ceab413736883106ac8ded51f23b8f1d. To my own suprise the very same value had changed to e54ac0ff85c8f425e2df286f0ab123c331ef63f0 when I checked back a few minutes later. The forum seems to be able to handle the change since I'm still able to log in on the forum, but I cannot post comments on news-items anymore while both use the same "forum_users" table.

Does anyone have a logical explanation why the MD5 values are changed once in a while? Is it due to some security issue in PunBB of perhaps a bug in PHPMyAdmin or whatever? Any thoughts on this would be greatly appreciated.

With kind regards,
Nick

Re: Problem with MD5 passwords in MySQL database

if your php supports SHA1 then punbb will automatically convert them to SHA1 as your users log in, which is what i think is happening

Re: Problem with MD5 passwords in MySQL database

It should also be noted that I'm considering phasing out MD5 all together in 1.3.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Problem with MD5 passwords in MySQL database

Connorhd wrote:

if your php supports SHA1 then punbb will automatically convert them to SHA1 as your users log in, which is what i think is happening

I've never heard of SHA1, but I get your point. I've changed my news-post-system to use SHA1 password encryption and it works.

Thanx a lot, this thing has kept me busy for a while now. tongue

5

Re: Problem with MD5 passwords in MySQL database

Connorhd wrote:

if your php supports SHA1 then punbb will automatically convert them to SHA1 as your users log in, which is what i think is happening

After I upgraded to 1.2.15 I had a related problem with logging in.

In the previous version (which I didn't download from punbb.org, unfortunately) I used md5 encryption only. Thus, after upgrading (which in my case also updated the pun_hash function) I couldn't log on. The login script did say I logged on correctly, but it was setting a cookie with a wrong password hash, so after being redirected to index.php I was still a 'Guest'.

I fixed this by changing the pun_hash function to use the md5 function, but I've already spotted other places where sha1 function is used in preference. So, coming back to the quote I would like to convert all the passwords in my database to the sha1 encryption, but my script doesn't do that. Could you tell me where I should look for it? As in which files I should replace with the original punbb 1.2.15 files?

Thanks!

Re: Problem with MD5 passwords in MySQL database

Rickard wrote:

It should also be noted that I'm considering phasing out MD5 all together in 1.3.

That's good news smile

Re: Problem with MD5 passwords in MySQL database

Jérémie wrote:
Rickard wrote:

It should also be noted that I'm considering phasing out MD5 all together in 1.3.

That's good news smile

It should now be noted that MD5 IS phased out in 1.3 tongue

Re: Problem with MD5 passwords in MySQL database

UH... I missed the date of Rickard's post wink

Re: Problem with MD5 passwords in MySQL database

hehe tongue