I need to get user password in plaintext when they change there password.Then i will feed them to a hashing algo for a third party application . In profile.php which variable actually stores the user password in plaintext and its at which point.

I am interested with the start update password part

Is it GPC['newpassword']


Thanks for the guidance

The variable is $vbulletin->GPC['newpassword'].
Hook location profile_updatepassword_start.

Although it's better to save the $vbulletin->GPC['newpassword'] variable in your own variable at profile_updatepassword_start and then use profile_updatepassword_complete to use the variable for your third party application because the password is updated/checked at that point.

Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would have to edit template and remove something like onsubmit="md5(...password)...."

Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would habe to edit template and remove something like onsubmit="md5(...password)...."

Good one, upon sending the form the currentpassword, newpassword and newpasswordconfirm values are being emptied and the only available variables contain MD5 hashes.

Make sure the password is not encrypted using javascript when sending the form. If so there isn't a php variable which contains plain text password. You would habe to edit template and remove something like onsubmit="md5(...password)...."

That's true, but there are ways to turn it off without editing the javascript. You can define the constant DISABLE_PASSWORD_CLEARING (maybe in config.php) to turn off the feature entirely. If you only want to turn it off for password changes, you can set the variable $show['nopasswordempty'] to 1, maybe at the hook parse_templates, like:
if (THIS_SCRIPT == 'profile')
$show['nopasswordempty'] = 1;

Then there are 2 possibilities
Edit the 3rd party application to use md5 password or

Remove the md5 javascript function in the template (Update) or using Kevin's way above
and do something like this in php

$plainpass = $vbulletin->GPC['newpassword'];
$vbulletin->GPC['newpassword'] = md5($plainpass);

I hope you are using https on your site, otherwise you are transmitting plaintext paswords over the internet, generally not a good idea.

I hope you are using https on your site, otherwise you are transmitting plaintext paswords over the internet, generally not a good idea.

As far as I know, even if you send md5 hashed password over an http connection, an hacker could intercept it and remove the javascript md5 function on the client side (with Chrome it's really easy). This way the md5 password will be directly sent to the server and the hacker would gain access, so there's no big difference but yeah it's still better to not send plain text password.