Hi all,

im looking for a way to change vbulletin from md5 to sha2 can anyone give me instructions on how to do that?

or can anyone give me detailed step by step instructions to salt the md5 hash codes?

yes i have google'd yes i have looked. all the stuff is old and i dont know if it even matches.

i also cant find something detailed walkthrough on how to do it.

vbulletin version 4.1.4 or higher would be great for this stuff.

The password is saved in the database as md5(md5(password) . salt), so it already includes salt (or maybe you mean something different). The place that creates the hash is in includes/class_dm_user.php, function hash_password(), and the main place that checks it is in includes/functions_login.php, function verify_authentication(). But if you were going to change it to sha2 I think there are other places that would need to be changed as well (searching all code for md5(md5( is probably a good start).

4 to be precise. This should spare you the search:

www-data@debianfish:/var/www/forum$ find . -iname "*.php" | xargs grep "md5(md5"
./profile.php: vbsetcookie('password', md5(md5($vbulletin->GPC['newpassword'] . $vbulletin->userinfo['salt']) . COOKIE_SALT), true, true, true);
./includes/class_dm_user.php: if ($password == md5(md5($this->fetch_field('username')) . $salt))
./includes/functions_login.php: $vbulletin->userinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $vbulletin->userinfo['salt']), '') AND
./includes/class_bootstrap.php: if ($vbulletin->userinfo['password'] == md5(md5($vbulletin->userinfo['username']) . $vbulletin->userinfo['salt']))
./includes/class_core.php: * @param string Password, must arrive in cookie format: md5(md5(md5(password) . salt) . 'abcd1234')

Oh, one more thing that just occurred to me: normally a password the user enters is hashed with a javascript function before it's sent to the server (which is why the verify_authentication() function checks for a plain text password or md5(password). If you search the templates for md5hash, you'll find where this is done.

I also just noticed that you asked for "detailed step by step instructions", and that's not what I gave you. Sorry, I guess it's a little too complicated for that (although someone else might take a shot at it).

the main reason i need this is some guy got into my database and unsalted and unhashed quite alot of passwords and posted them public to the server. great dissapointment to me and what i had...

now im looking for the more secure sha2. if you could even provide a step by step what needs to change and how kinda thing that would be great!

That's not going to be easy, not to mention would break with every upgrade. You need to take better steps to protect your users data in the first place. If someone can get into the system with enough time and effort they can still decrypt passwords.

also understand that they did not unhash the passwords. They used brute force of trying hundreds of thousands of combinations to break the md5 hash. Its not something you just click a button on and find the right combo.

If your database were better protected in the first place, he wouldn't have been able to access it, and get the data to try to hammer on.