1

Topic: Password Algorithim?

I was wondering under what algorithem are the passwords encrypted under. Don't worry, I'm not out to steal my Forum Users passwords, just want to see what going on and maybe use a similar algorithem on another password file.

Do, or do not.

Re: Password Algorithim?

From login.php:

if (!empty($db_password_hash))
    {
        $sha1_in_db = (strlen($db_password_hash) == 40) ? true : false;
        $sha1_available = (function_exists('sha1') || function_exists('mhash')) ? true : false;

        $form_password_hash = pun_hash($form_password);    // This could result in either an SHA-1 or an MD5 hash (depends on $sha1_available)

        if ($sha1_in_db && $sha1_available && $db_password_hash == $form_password_hash)
            $authorized = true;
        else if (!$sha1_in_db && $db_password_hash == md5($form_password))
        {
            $authorized = true;

            if ($sha1_available)    // There's an MD5 hash in the database, but SHA1 hashing is available, so we update the DB
                $db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$user_id) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
        }
    }

Re: Password Algorithim?

It uses SHA-1 if it is available (not all PHP setups have it). If it isn't available, it falls back on MD5.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

4

Re: Password Algorithim?

Ah, thanks a lot.

Do, or do not.

5

Re: Password Algorithim?

Someone in this big wide world one day will uncrypt an MD5 password thing.

---------> PLEASE REMEMBER I GOT THE FIRST EVER POST OF PUNBB 1.1! <---------
---------> PLEASE REMEMBER I GOT THE FIRST EVER POST OF PUNBB 1.1! <---------

6

Re: Password Algorithim?

Well, in order for PHP or anyother program to read MD5, it has to decrypt it. So therefore, it has already been done.

Do, or do not.

7

Re: Password Algorithim?

So Dale was right :)

8

Re: Password Algorithim?

For some odd reason, I feel that I am that someone that Dale is refering to. Weird.... I would NEVER do something like that...

Do, or do not.

Re: Password Algorithim?

There is no way to "decrypt" an MD5 checksum. You can brute force it by trying all possible combinations, but you can't go from MD5 to cleartext. MD5 is a checksum generation algoritm, it's not encryption per se.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Password Algorithim?

No program reads the MD5.
They just take the text password you supply, turn it into MD5 and compare it to the MD5 value that you store in the DB/file.

11

Re: Password Algorithim?

Ah, yeah, that does makes sence.

Do, or do not.

12

Re: Password Algorithim?

Hello,

I don't understand very well why in PHP there is this 2 lines :

            if ($sha1_available)    // There's an MD5 hash in the database, but SHA1 hashing is available, so we update the DB
                $db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$user_id) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
        }

(if the login is successfull).

It is designed to convert md5 passwords to sha1, that's ok, but why are those lines in login.php ? Does this update must be done on every login step ? I would have said that it has just to be done one time (admin maintenance operation).
About this conversion I too have "conceptual" difficulties with this on-the-fly conversion (I had troubles with this to use PEAR:Auth (which doesn't handle sha1, just crypt() and md5()) with punBB), wouldn't it be preferable to have this outside login.php ?

Re: Password Algorithim?

sergio: In previous versions of PunBB, md5() was used for all password hashing. However, beginning with 1.1, sha1() is the preferred hashing algorith. The problem is that you can't just take an MD5 hash and convert it into an SHA1 hash. You need the cleartext password. So, in order for to migrate as many as possible over to sha1, I wrote that piece of code. It only runs the update if SHA1 is available AND the user currently has an MD5 hash in the database (which means hardly ever). It is not possible to do via e.g. an admin maintenance operation.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

14

Re: Password Algorithim?

I have just converted from phpBB to punBB and i use some scripts that integrate some other sites with the forum. i have a scripts that copy all users, passwords and their email-adresses and update the other sites databases. They all use MD5 encryption for the passwords.

Is it possible to change something in the code for punBB that makes it store the password as MD5 the next time the user changes the password? Then my scipts will continue to work without modification.

Re: Password Algorithim?

Find the function pun_hash() is functions.php and modify it so it only uses md5()

16

Re: Password Algorithim?

Thank you! It worked!