Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

phpBB hash method

We just converted from phpBB3 to Vanilla and users are unable to login without resetting their passwords. I have triple-checked that the Member role has permission to log-in. The issue seems to be that Vanilla is not able to create the proper hash.

Our forum has been around for a long time and therefore passwords are stored in many different hashes. A quick look in the db shows passwords hashed using $H$, $2y$, and $2a$. Could the fact that there are multiple algorithms in use be the reason for the login failures?

Comments

  • LincLinc Detroit Admin

    @mightyrocket That sounds like a very likely culprit, yes. $2y$ and $2a$ are Blowfish (crypt) and $H$ is phpass (phpbb). Set the HashMethods for $2y$ and $2a$ passwords to 'crypt' and that may allow them to login. The $H$ passwords should already be working - they are what the 'phpbb' HashMethod expects.

  • @Linc Thanks! I'll try setting the HashMethod for $2y$ and $2a$ to 'crypt'.

  • Great news, @Linc ! Your recommendation appears to have worked. We've a few affected users now able to log int. Thanks for the help!

    In case anyone else needs it, here's the sql query to set HashMethod to 'crypt' for Blowfish passwords:

    UPDATE `GDN_User`
    SET `HashMethod` = 'crypt'
    WHERE 
        `Deleted` = 0
        AND `HashMethod` = 'phpbb'
        AND (LEFT(`Password`,4) = '$2a$' OR LEFT(`Password`,4) = '$2y$')
    
Sign In or Register to comment.