HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Read also md5 Passwords

Hy guy's
I need some help please, i imported all my users and passwords from an database "the passwords are only md5" i would like to login the users with they're passwords,what should i do ? should i convert all the md5 passwords to "vanilla hased method" or to make the auth. check the pass even if its md5 or "vanilla" in the database ? eather way how sould i do this things.

thank you,

Tagged:

Comments

  • hgtonighthgtonight ∞ · New Moderator

    Welcome to the community!

    What version of Vanilla are you running?

    Were the "md5 passwords" from another software?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Hy, thank you for aswering so quickly
    I am using 2.0.18 and yes its an old user database and i just copyed the users and passwords to vanilla database and the vanilla passwords looks like "$P$BMe5jaylBrG/fmaaKnndRbyMKpTJaW0" and mine look's like "21232F297A57A5A743894A0E4A801FC3" (md5) and i want to login into vanilla with this password. It's possible to change the "class.passwordhash" or something to read bouth ?

    Thak you

  • hgtonighthgtonight ∞ · New Moderator

    In your GDN_User db table, change the HashMethod field to punbb on all the old users.

    This will use md5 without salt to check the passwords.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    bogdancristian
  • edited June 2013

    sorry but not such a big expert in db i have to rename the HASHMETHOD fild to PUNBB ? to all users ?

  • hgtonighthgtonight ∞ · New Moderator

    For all the users you imported.

    IF all your users are imported

    UPDATE `dbname`.`GDN_User` SET `HashMethod` = 'punbb';`
    

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    bogdancristian
  • Thank you very much i have made it worked :D but i just added the punbb just too my users form the old databank not too the admin of the forum i will upload a pic tomorow. Thank you very much again !

  • Like I promissed here its a print screen of the db that works and all my users from the old database are login with only they're md5 hash password's and my new user's use vanilla hash metod. TNX hgtoniht

  • so i am really sorry i did not see but the login for the rest of my users dosent work i get wrong user/password

  • you can see i change all the hashmetod to punbb but only the ones with vanilla work the others are not working ...

  • hgtonighthgtonight ∞ · New Moderator

    What software created these hashes originally?

    Also, you will want to remove that attachment showing the hashes.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • i have a project made in eclipse with seam, and its just a simple md5 encryption this is just for testing, and the users cant login !! with theyr passwords

  • its possible to just transform all my md5 passwords to vanilla hash passwords and just change the punbb what i have not in my db to vanilla ? would this work ?

  • hgtonighthgtonight ∞ · New Moderator

    If you stored a straight md5 hash, punbb should work.

    If you could post the code you used to generate the hash, it would be helpful.

    The idea of hashing algorithms is to make it difficult (read very difficult) to get the original data back from so 'converting' your hashes is basically a wash.

    You could always do a mass reset of your user's passwords (change the hashmethod column to 'reset'). This should probably be your last resort.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • ok i will put here the code to the hashing method on monday, because i am on my leptop in another city :) and how dose this reset work's ? if you could explein it ? it will erase all the passwords? or what its the ideea behind the reset, BTW hgtonight thank you very much for supporting me with my prb.

  • OK so an UPDATE to this problem of mine. The password's in my DB are all "md5" but they were all with BIG LETTERS that is why the user's could not login with "punbb" or "django" etc. i Just did an lowering case in the DB to all my passwords and now everithing work perfectly.

    If somebody else has the same problem just go to you DB and run the folowing comand :
    UPDATE tableName.gdn_user SET Password = lower(convert(password using latin1)) WHERE userid > 10

    *** the "10" its just an example because if you have imported your user's and password's, they are not "Vanilla" hashed. So the first users that use the vanilla hashmethod you shoud let them be, and just change the number to the number of the first user were your imported users are. ***

    • In my example my first 10 users were made in vanilla and they were using the vanilla hash method and after that i imported the users from another db where my encrypted method was md5 and my users started from "UserID = 11" *

    HOPE this helps.

    hgtonightUnderDog
  • Find a way to reset the passwords, md5 is crackable

  • It's crackable but first the "hacker" needs to find the db with the user to find the hashed password and then to crack it but if you have a very good db and a very secure sistem for that db then that "hacking" its really hard. I'm just gonna give to all users a message to change they're password's and with that the new passwords will be vanilla hashed, if they don't want and its not that important to them the the account is not important for hacking and nobody is interested in hackhing it, Thank you for the advice and and the interess.

  • it is difficult to crack md5 with a salt. It is crackable theoretically, as in it has been done in ideal conditions. It is true there are stronger hashes.

    grep is your friend.

  • @bogdancristian said:
    change their password's and with that the new passwords will be vanilla hashed

    I'm not sure that's accurate. Test 1 user, because the hash method has to change to 'Vanilla'

    hgtonight
  • i'd test On "testUser" it had "punbb" hash method in the db and after i change the password the hash methond change in "Vanilla"

    UnderDoghgtonight
Sign In or Register to comment.