Resource : [SMF] Imported User Password Hack
Type : Source Code Modification
Version : 0.1
Author : mf @ http://www.videngineering.net

Description : After SMF import, no need to reset password!

vBulletin impex hashes all imported passwords with salt; md5(old_password . salt). For most forums, that means md5(md5(password) . salt). For SMF, however, that means md5(md5_hmac(password, username) . salt). Since vB login checks for md5(md5(password) . salt), that means an imported SMF user will have to have his/her password reset. That, or you install this little hack.

Tested : Yes, tested on 3.5.0 Stable (will not work on vB 2.x or 3.0.x)

Screenshot : None, obviously

Notes : My first hack :speechless:

Good stuff! Glad I could help you a bit and so cool that you worked it out how to do this. [Installed]

Pretty cool, and grats as well for this being your first hack. I am sure this will be inspiration for other password hacks too.

This gave me an idea though... maybe upon importing, add all users to a secondary usergroup and have the plugin system redirect to a page where the user can enter htier old password nad have it changed to the new vb-hash format and then it takes them out of that secondary usergroup.

Pretty cool, and grats as well for this being your first hack. I am sure this will be inspiration for other password hacks too.

This gave me an idea though... maybe upon importing, add all users to a secondary usergroup and have the plugin system redirect to a page where the user can enter htier old password nad have it changed to the new vb-hash format and then it takes them out of that secondary usergroup.

Nice idea there Reeve, perhaps make that suggestion on vbcom/suggestion forum ;)

Pretty cool, and grats as well for this being your first hack. I am sure this will be inspiration for other password hacks too.
Thanks! I might be posting other hacks in the future as I stumble upon needs that stock vBulletin lacks.

This gave me an idea though... maybe upon importing, add all users to a secondary usergroup and have the plugin system redirect to a page where the user can enter htier old password nad have it changed to the new vb-hash format and then it takes them out of that secondary usergroup.
That wouldn't be needed, since the old passwords *ARE* stored in vB's new secure format. They're just as secure if not more secure (HMAC hashes data with a key, MD5 only hashes data), so while you have the hack installed, there is no reason to change password.

Posted it up there,... maybe the plug in can take the password entered, verify it against the old hash, then update the field with the new vb hash and take them out of the 2nd group. Then it becomes completely invisiable to the end user.

That wouldn't be needed, since the old passwords *ARE* stored in vB's new secure format. They're just as secure if not more secure (HMAC hashes data with a key, MD5 only hashes data), so while you have the hack installed, there is no reason to change password.

I agree, im just thinking aloud from the perspective of trying to eliminate the need for hack so people can throw up the default files and not have to worry about editing files.

For reference: http://www.vbulletin.com/forum/showthread.php?t=156593

I just WISH there was something like this when I imported SMF...
I lost a bunch of active members because of the reset... :(

I have installed this modification correctly in 3.5 stable but it does not work :(

why?

I just WISH there was something like this when I imported SMF...
I lost a bunch of active members because of the reset... :(

Sorry, the 'turn back time' plugin for 3.5 isn't made yet. (50% done)

I have installed this modification correctly in 3.5 stable but it does not work :(

why?

We have of course NO clue.

What exactly does not work, can't they login? Do you get an error - more information is as usual 'very handy'.

We have of course NO clue.

What exactly does not work, can't they login? Do you get an error - more information is as usual 'very handy'.

You have entered an invalid username or password. Please press the back button, enter the correct details and try again. Don't forget that the password is case sensitive. Forgotten your password? Click here!

You have used 1 out of 5 login attempts. After all 5 have been used, you will be unable to login for 15 minutes.

I do not get any code's error but simply the forum does not recognize SMF imported password :(

Hello;)
Same problem,as described above...
I did SMF import,installed (correctly) required hack,but passwords are not recognized and I do not get any specific error... :o
Any suggestion/fix available?

Thanks,have a good day

I am extremely sorry, but I cannot seem to reproduce your issues. I just went through all the steps on my newly upgraded 3.5.0 stable vBulletin, and I can successfully login SMF users. The only thing I can think of is your SMF forum might have been imported incorrectly.

3.5.1

not working :)

thx any way

I recently purchased vbulletin and I was a bit disappointed that my users would have to reset their passwords to login to the "new" forum

I'm really happy with this hack.. I just tried it and it's working perfectly !

I just upgraded from SMF 1.0.5 to vBulletin 3.5.1

THANK YOU SOOO MUCH !

vBulletin impex hashes all imported passwords with salt; md5(old_password . salt).

That is wrong, ImpEx, will only hash passwords that way if they are already md5(), if they are plain text then it goes md5(md5($password) . salt). So it depends on the source system, SMF can't be imported by default.

ImpEx's primary goal is to protect the database, not to force in passwords that break the schema and code and can be easily reset.

I explain how easy it is to reset the passwords here :

http://www.vbulletin.com/docs/html/impex_passwords

Also making users update passwords is more secure as people rarely rotate them.

That is wrong, ImpEx, will only hash passwords that way if they are already md5(), if they are plain text then it goes md5(md5($password) . salt). So it depends on the source system, SMF can't be imported by default.
That would seem logical, however I did not know/expect that there actually are versions of forum software that store the password in plaintext. And SMF can most certainly be imported by default, I've used impex to convert from SMF 1.0 -> vB 3.0.8, and then used the upgrade system to go from vB 3.0.8 to 3.5 (first RC2, then Gold).
Also making users update passwords is more secure as people rarely rotate them.
I'm sorry, but that is nonsense. md5(md5(password) . salt) is just as secure as md5(md5_hmac(password, username) . salt). Algorithmically there is nothing less secure about HMAC than MD5, HMAC is arguably more secure because it uses a more complex algorithm. I know compatibility-wise resetting passwords is the recommended action from Jelsoft, but at least stick with the truth and don't say it's "more secure", because it isn't. If you ask users to reset their passwords 99.9% will reset it to their old password, so the only difference will be the way it is stored in the database.

That would seem logical, however I did not know/expect that there actually are versions of forum software that store the password in plaintext. And SMF can most certainly be imported by default, I've used impex to convert from SMF 1.0 -> vB 3.0.8, and then used the upgrade system to go from vB 3.0.8 to 3.5 (first RC2, then Gold).

I'm sorry, but that is nonsense. md5(md5(password) . salt) is just as secure as md5(md5_hmac(password, username) . salt). Algorithmically there is nothing less secure about HMAC than MD5, HMAC is arguably more secure because it uses a more complex algorithm. I know compatibility-wise resetting passwords is the recommended action from Jelsoft, but at least stick with the truth and don't say it's "more secure", because it isn't. If you ask users to reset their passwords 99.9% will reset it to their old password, so the only difference will be the way it is stored in the database.

He means it doesn't hurt to have users change their password anyway, despite the layer of security, passwords should be rotated more frequently to avoid abuse.

He means it doesn't hurt to have users change their password anyway, despite the layer of security, passwords should be rotated more frequently to avoid abuse.
And that is why I said that if you do not require the password to be different (rotated) from the original password, users will simply use the original password. Also, security experts are returning from the old notion that frequent password rotation is secure; many companies have practically experienced that password rotation simply means users will start using weaker and weaker passwords, and when they are forced to use strong passwords, they will write it down on post-it notes and such in order to keep themselves from forgetting it. It is better to let users come up with one good password, stick with it, and let nobody intercept it, than it is to keep changing passwords until the whole meaning of the word password is lost. That said, the number of passwords I use (strong as well as weak) can be counted on one hand. But then again, I don't rely on passwords for most of my security.

Thanks For This Great Modification ! [ Installed ! ]

this doesn't work on 3.5.3

Did not work for me on 3.5.4... :( 40,000 users have to reset passwords now.

I downloaded version 3.5.0 and tried this with a fresh install and it didn't work.

The import went OK, but users cannot insert their old password. I did notice that some of the code that the author of this mod mentioed arte actually slightly different in the version 3.5.0, that I downloaded. Perhaps some settings have been changed since the author originally wrote this mod?

Anyway, it doesn't work anymore. Shame. :tired:

I downloaded version 3.5.0 and tried this with a fresh install and it didn't work.

The import went OK, but users cannot insert their old password. I did notice that some of the code that the author of this mod mentioed arte actually slightly different in the version 3.5.0, that I downloaded. Perhaps some settings have been changed since the author originally wrote this mod?

Anyway, it doesn't work anymore. Shame. :tired:
I'll post an updated version once I upgrade to the latest 3.5.x. The strange thing still is I have the thing running on my 3.5.0 (installed as per my own instructions), and it just works. So unless anyone could pass me any type of usable debug info I won't be able to make it magically work for everyone else. A possibility is also that the impex password hashing has changed (for whatever reason). To reproduce my SMF->vB import process (which I performed before direct SMF->vB3.5 imports were possible), first use ImpEx to go from SMF to vB 3.0.7, then use the upgrade feature to go from 3.0.x to 3.5.x. See if that helps. Other than that, big shame it isn't working guys! My sincere apologies but I have no idea as to the source of the problem. Maybe I'm just being a bit of a n00b :) (after all this *is* my first hack).

Hi

I actually found that a few of the lines in the vBulletin code were slightly different from the ones posted in your instructions. I wonder if there has been some slight ammendments done even to the 3.5.0 version?

Either that or I got the instructions wrong, but I don't think so. I can't remember which template it was now, but it was towards the end of the process.

So which version does this ACTUALLY work on? I am converting a SMF 1.1.1 forum to 3.6.4, and I need to know if this will work. I don't mind trying an older copy of vBulletin and upgrading afterwards.

I'm importing SMF 1.1.4 to vB 3.7b5, and it seems that SMF's password hashing has changed since this mod was released. It now uses sha1() instead of md5_hmac().

So I had a go at it, and got vB authentication working without having to edit any files (except one line in config.php). All it needs is:

1) In your ./includes/config.php, insert this line:

define('DISABLE_PASSWORD_CLEARING', 1);

NOTE - this forces vB to send a cleartext password from the browser to the server when you login. This is a potential security risk, albeit a very unlikely one to be exploited - if anyone has compromised your systems to the point that they can pick this information off the wire, you have bigger problems than exposing some passwords! But regardless, you should really treat this as a transitional hack, and give your users something like a month to change their passwords, before you disable this stuff.

2) Create a plugin on the 'login_failure_verify_password' hook, and paste this PHP into it:

if ($vbulletin->GPC['vb_login_password'])
{
$hack_username = preg_replace('#^imported_#','',$vbulletin->GPC['vb_login_username']);
$sha_passwd = sha1(strtolower($hack_username) . unhtmlspecialchars(stripslashes($vbulletin->GPC['vb_login_password'])));
$vb_passwd = md5($sha_passwd . $vbulletin->userinfo['salt']);
if ($vbulletin->userinfo['password'] == $vb_passwd)
{
unset($return_value);
}
}

And that's it.

The way this works is, if the regular vB password verification fails (using the md5 version of the password, which will fail if they still have their impex'ed SMF password set), the plugin is called. Because we set DISABLE_PASSWORD_CLEARING in config.php, vB is now including the clear text password from the browser during login. So the plugin can take that cleartext password, and hash it using SMF's method, and see if that matches the stored hash. If it does, then they have a valid SMF style password.

Note that the code above also works for any usernames which have been changed from 'joeblow' to 'imported_joeblow' due to username conflicts on the impex

Although I'm using vB 3.7b5, I think this method should work for 3.6 as well. I have no idea which versions of SMF this will work for - all I know is, it works for the SMF v1.1.4 users I'm importing.

I may add automatic changing of the password to a native vB password the first time an SMF user logs in, and release this as a mod. But if not ... maybe the above will help someone out.

-- hugh

would this work for an ikonboard 3.0 import as im having the same issue with passwords - thanks

the mod in the first post i not working :(
anyone interested in updating?