• Registered: 2006-07-19
  • Posts: 3

Topic: MySQL Encrypted Passwords

I look at the database entry for passwords as I am attempting to Link the Mysql Database for punbb forum (which i find is a great bit of software) to the Anope services for IRC database, so that my users can login on the chat room with the same credentials as they use on the forum.

When i was looking at the fields to see where them records are kept to program the services to use that database file and location for its usernames and passwords i noticed that the entry for password was encrypted.. Now the services has an option to encrypt called dec..

What i would like to know is 2 things.. Does punbb use the standard encryption from mysql? And can the forum be forced to use plain text for passwords?

Thanks in advance

  • Registered: 2006-06-29
  • Posts: 324

Re: MySQL Encrypted Passwords

most apps hash passwords.  they usually use something like md5 but some actually encrypt the password.  you'll have to check out whoever put the passwords in the database to see how they do it.

  • Registered: 2006-07-19
  • Posts: 3

Re: MySQL Encrypted Passwords

As far as i know punbb program put them there,, You see I only recently added the chat service to the website.  So punbb hashes the passwords with an encryption key.

Is it possible to use the same encryption key, if so where would i find it within the program?

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: MySQL Encrypted Passwords

PunBB uses sha1 if available, else falls back to md5. These cannot be decrypted, so your only option is to modify the IRC server so it uses pun_hash() to check the passwords. You can also modify this function to use an encyption of your choice, ofcourse.

  • Registered: 2006-07-19
  • Posts: 3

Re: MySQL Encrypted Passwords

The IRC services only use mysql and I think it has its own encryption, not sure how to program in pun_hash() to call anything, I will ask the guys at Anope they made the services program

  • From: Leuven, Belgium
  • Registered: 2005-06-14
  • Posts: 2,653

Re: MySQL Encrypted Passwords

http://dev.mysql.com/doc/refman/5.0/en/ … tions.html smile
MySQL can encrypt in MD5 or SHA1. So if your can access the code from your IRC server (the part where it authenticates), you must use something like this in your query:

SELECT password FROM punbb_users WHERE user='%s' AND password=SHA1(%s)

If your server uses MD5, change SHA1 to MD5. (code example uses C string insertion, %s indicates a string should come there)

  • From: Arizona
  • Registered: 2006-07-17
  • Posts: 63

Re: MySQL Encrypted Passwords

elbekko wrote:

PunBB uses sha1 if available, else falls back to md5. These cannot be decrypted, so your only option is to modify the IRC server so it uses pun_hash() to check the passwords. You can also modify this function to use an encyption of your choice, ofcourse.

It is true that they cannot be decrypted, because of the nature of the hash encryption algorithm. Although MD5 has been said to no longer be secure so it's 'better' to use it's successor SHA-1. Which is basically what PunBB does. However MD5 passwords can be reverse engineered. An example of a web site which allows such functionality online is gdataonline.com. The better the password complexitiy, the better the "security" you'll achive.

More information on the MD5, and SHA-1 algorithm's can be found here: MD5 / SHA-1

[img]http://www.helter.net/helternet_ub.jpg[/img]

helter's Website