miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
The Other miniBB Support Forums / The Other /  
 

Which way passwords are encrypted / how to decode passwords

 
Author tobyy
Partaker
#1 | Posted: 11 Oct 2006 07:49 
I need to import some users from an old forum to the user database.

I do know how to put the usernames, emails,... in the database but i need to know how to encrypt the passwords so these users can login!

right now i've got all the users without encryptet passwords, so is there a function i can use to write the passwords into the user table correctly?

i guess the funtion i'm looking for is somewhere inbb_func_regusr.php - but where??

thanx for your help, great forum!!

Author Paul
Lead Developer 
#2 | Posted: 11 Oct 2006 09:54 
miniBB stores all passwords one-way encoded by MD5 algorithm. This is defined in a function writeUserPwd() of bb_cookie.php file.

I guess, mySQL has a built-in function for MD5.

Author tobyy
Partaker
#3 | Posted: 11 Oct 2006 11:16 
thanks, just found the function myself :)

i just needed to fill in the passwords via

$encrypted_password = md5($password);

works fine!

cheers
t

Author manas
Partaker
#4 | Posted: 29 Jun 2010 06:39 
In my database password is looking like: 5d45c58ea1ef37f17c2f885219215426
Can any one know how can I see what exactly the password is(in the format of string)?
Any tool how to convert this 5d45c58ea1ef37f17c2f885219215426 to String?

Author Prince
Partaker
#5 | Posted: 29 Jun 2010 14:15 
that's a cheat.. so it's not good you know your user passwords... ;)

Author manas
Partaker
#6 | Posted: 30 Jun 2010 00:53 
Currently smtp server is not working because of some port is blocked. So currently email things is not working. If some one forgot his/her password I have to check the database and need to send the password manually. So the password is save in the database md5-hash format. Thats what I want to know how can decode the password.

Its will helpful if some one know how can I decode it :)

Author Paul
Lead Developer 
#7 | Posted: 30 Jun 2010 01:02 
There is no way to decode MD5-hash back. Oh, may be there is a brute force method to hack it, but if the password is difficult to guess, it could take years :-)

I think, for your case, you just need initially to store passwords clear. Modify bb_cookie.php file - function writeUserPwd(). Where it says return md5($pwd); it should be just return $pwd;

However this will not work for older users. This must be set up initially as soon as you start the board and get new registrations.

Author T.K.
Guest
#8 | Posted: 1 Jul 2011 06:36 
I have one question. In miniBB is password saved as hash MD5. But i want in this shape mkd5(md5($pass).$nick) ... It is very dangerous when is saved as only hash. It is possible for change?
If you do not do this, please tell me where is login, registration, ... And i will change it.
Sorry for my english.

Author Paul
Lead Developer 
#9 | Posted: 1 Jul 2011 06:45 
Look up in bb_cookie.php -> writeUserPwd() function.

It gets only clear password parameter from the other scripts, and returns encoded value.

I think it's fully enough to use just a more stronger encoding function, if you want so, replacing md5 there.

I'm not sure what mkd5 is about though.

T.K.:
It is very dangerous when is saved as only hash.
"Dangerous" is not the proper word for that. Dangerous is to driving after drinking 0,5 l of vodka or loving a woman.

If we use md5 that only means somebody could steal your cookie where this value is stored, and spend about many years trying to decode it, I doubt it would be worth just for the forum. Forum software is not that thing where you must care about security.

If somebody is stealing your cookie, it's not the problem of miniBB furthermore. It's a problem more serious than you can imagine. Because forum cookie is kids thing. If they can steal a forum cookie, they could steal also more "serious" cookie.

But if you provide a not-easy-to-guess password, it's already the strong protection against stealing it, doesn't depending on hash :)

Author T.K.
Guest
#10 | Posted: 2 Jul 2011 03:20 
All MD5 hash is done so in only one function? So when I change the contents of function, everything will work?

Author Paul
Lead Developer 
#11 | Posted: 2 Jul 2011 03:21 
Yes, that's the only change you should do. At least it's supposed to work :)
As far as I know it merely works if you replace md5 to sh1, for example.
Try it and let us know.

Author Tirus
Partaker
#12 | Posted: 2 Jul 2011 04:05 
now i change function in bb_cookie.php to function writeUserPwd($pwd){
return sha1(md5($pwd).$pwd);
}
register is ok, but login is worst. password is not correct

Author Paul
Lead Developer 
#13 | Posted: 4 Jul 2011 09:00 
So if you change to that function, you should keep in mind the length of the password field in users table of miniBB. Currently it's = 32 but I suppose it's not enough for SHA1 algorithm, it should have 40 symbols at least.

So you must upgrade this field's length to have 40 chars.

alter table minibbtable_users modify user_password varchar(40);

The Other miniBB Support Forums / The Other /
 Which way passwords are encrypted / how to decode passwords
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Try the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑