Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How are passwords constructed?

edited December 2011 in Vanilla 2.0 - 2.8

I have a custom list of users that i need to import and will just bang them into the user table, however i see its using some weird looking hashing, where can i see exactly in the code where these are generated so i can adapt.




  • 422422 Developer MVP

    Md5 isnt it

    There was an error rendering this rich post.

  • I've noticed in the table there is a HashMethod and this by default looks to be 'Vanilla', im just trying to work out where this can be set, and what valid alternatives are.

  • ToddTodd Chief Product Officer Vanilla Staff

    The hash method more or less uses phppass which is pretty much the strongest, most secure hash you can use.

    However, if you put plain text passwords in as hash method Vanilla then users can sign in and their methods will be converted upon first sign in.

    You can also use the following hash methods found in /library/core/class.passwordhash.php:

    • django
    • phpbb
    • punbb
    • reset: tells users to reset their passwords when they try and sign in
    • random: tells users they don't have a password yet
    • smf: Simple Machines Forums
    • vbulletin: the salt is the last 4 characters of the password.

    If you have something sort of custom that uses a hash with or without a salt then I recommend using django. It's quite flexible. Passwords in django have the following format:


    • algorithm This is the hash algorithm and is one of crypt, md5, sha1.
    • salt This is the password salt that a lot of systems use. If you don't have a salt then you can just use algorithm$$hash which is equivalent to an empty salt.
    • hash This is the password hash.

    The algorithm then just does the following to check the password:

    algorithm($salt.$password) == $hash

Sign In or Register to comment.