Please upgrade here. These earlier versions are no longer being updated and have security issues.

Passwords no longer work after update from 2.2

DaveVDaveV New
edited November 2018 in Vanilla 2.0 - 2.8

I've upgraded an old 2.2 installation to 2.5.6 and all the user passowrds no longer work 🙁.

After a bit of research and looking at the database I see that the passwords are all hashed with the Vanilla method, which in 2.2 uses $P$ (phpass). However in 2.5 the Vanilla method has changed and uses $2y$ (crypt), and it seems it can't automatically rehash the passwords. I've tried instead upgrading to 2.3 first and this works - the passwords are re-hashed to $2a$ on login. However, I really need to update to at least 2.5, so can't upgrade to 2.3 first and wait for all the users (over 2000) to login before then upgrading to 2.5...

Therefore, I think my only option is to change the hash method to 'reset' and force all the users to reset their passwords on their next login.

Has anyone else experienced this, or know of a work-around?


  • DaveVDaveV New
    edited November 2018

    Ah sorry, I think I posted too soon, I think this is a duplicate of

    I didn't remove the /applications/vanilla/controllers/class.settingscontroller.php file. This isn't mentioned as an upgrade step in the 2.5 readme, but is mentioned here:

  • So even when I do remove /applications/vanilla/controllers/class.settingscontroller.php first before doing the update I still have the password issue. Is there any other way they can be re-hashed without having to ask users to reset them?

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    Since the original password is saved nowhere, it cannot be automatically rehashed. In theory it might be possible to write a plugin which would do the trick by intercepting when the user re-enters his password by first comparing the password with the old method and the old hash and then writing the new hash based on the new method to the database and setting a flag that this user is using the new method (maybe even that is not possible, I have not enough knowledge of the password methods Vanilla used then and now).

    But I'm pretty sure your users will not be upset. Tell them "great new features, all is shiny and blinks, password are more secure than ever, please rest your old password". If my forum admin would tell me that, it would be okay for me to reset my password.

    The effort for writing such a plugin is simply to high, I guess.

  • x00x00 MVP
    edited November 2018

    edit wrong info

    grep is your friend.

  • x00x00 MVP
    edited November 2018

    it seem to be a problem with portable_hashes not being set at the appropriate time.

            if ($this->portable_hashes) {
            } else {

    grep is your friend.

  • Instead you need to mark your portable hashes with HashType Phpass rather than Vanilla. As this uses PhpassPassword::HASH_PHPASS by default. Vanilla merely extends this.

    You can do a query to achieve this.

    grep is your friend.

  • e.g.

    UPDATE GDN_User SET HashMethod = 'Phpass' WHERE Password LIKE '$P$%'

    grep is your friend.

  • This will change when they sign in.

    However the blowfish encryption, is mainly protecting the salt. Which is only relevant is you have been jack potted in the first place, and still would require a dictionary/rainbow attack after this.

    Other attacks like timing attacks are already taken care of.

    So theses are decent hashes.

    grep is your friend.

  • @x00 thanks for your help with this, but unfortunately changing all the old passwords' method to Phpass doesn't work - it looks like the old Vanilla method in v2.2.3.4 used a variation of Phpass which v2.5.6 doesn't account for..

  • I don't know there is is probably soemthign else goign on.

    It is true that the current release has re-factored some code. There is a lot more use of mixins, etc.

    However it would eb a massive oversight if thsi was the case. It is possible for sure, however I have not heard of other people in you position having this issue. Granted, there are only a handful of cases and I have no been around much.

    grep is your friend.

Sign In or Register to comment.