Trying to Understand SALT and the New Password system
 

Okay I'm trying to integrate vBulletin with another php app right now and it uses a traditional MD5 hash.

But I'm really confused on what's going on here because I see evidence of double MD5 and single MD5 with salts.

Could someone explain to me what's going on and what's happened? I understand the general concept of salt and that's to randomize the password even further.

Any information would be nice... (and some directions on pointing me to the right direction would be nice as well :) )

hmm, the easy way to explain:

$password -> the real password
md5($password) -> password in vb2
md5(md5($password) . 'licensenr') -> password in vb3

this is to make all hashe differ on different boards, so even if the real password is identical, the hashes on two different boards aren't

so if I just took this..

it would give me the exact same MD5 hash as in vB2.x?

nope, $_POST['password_md5'] is already md5'ed (AFAIK) and therefore it already contains the vb2 pw hash

How confident are you that $_POST['password_md5'] is already MD5ed?

i'm 99% sure as the _md5 tells me, it is alreay md5ed ;)

but as the md5ed value is done per JS, you might think of those user which doesn't have JS enabled

I'm trying to make sure these are the variables I think they are...

In profile.php,

is:

$currentpassword_md5
$newpassword_md5

the equalvent of text md5 hashed already too??

yes, _md5 means it has been md5ed one times :)

Thanks for taking the time out of your schedule to answer my questions Stefan :D

In vB 2.0.x and below, passwords were stored as $password.

In vB 2.2.0 through 2.3.4, passwords were stored as md5($password).

In vB3, passwords are stored two sperate ways. In the database, passwords are store as md5(md5($password) . $salt)) In cookies, I believe they are stored as md5(md5(md5($password) . $salt) . $licensenumber))), although I'm not quite sure on that.

hmm, i think just the administrators have a special salt as well.
At least the upgradescript said something about salting administrators passwords.

Truly a bit confusing, we might sum up such things in a modification tutorial ^^

I am trying to write a script for my site that is integrated with VB3. I, however, can not get a user logged into my main page using the VB3 cookie. If the above quote is correct, then the following code should work:

$userPassword = md5(mysql_result($result, 0, "password")."#####");

The ##### is my license number. Providing my license number is correct (which it is.), the login should work. This code, however, returns a totally different hash than what is stored in the cookie. Is there an error in my code, or is the above quote incorrect?

There's a new field in the table 'user' named 'salt'.

I solved it like this:

//Query:
SELECT password,salt FROM user WHERE username = '".$username."'

Login is correct if

$password = md5(md5($Input_PW_from_User) . $SALT_Value_from_Table_User)

OK... im still getting two different hashes. What you are saying is i should apply the code you provided to the hash in the cookie?

OK... so I tried this (minus some obvious stuff, but you should get the point):

$bbuserid = $HTTP_COOKIE_VARS["bbuserid"];
$bbpassword = $HTTP_COOKIE_VARS["bbpassword"];

$query = "SELECT password, salt FROM user WHERE userid = '$bbuserid'";
$result = mysql_query($query, $connection);

$salt = mysql_result($result, 0, "salt");
$password = mysql_result($result, 0, "password");

$bbpassword = md5(md5($bbpassword).$salt);

But this still doesn't work... $password (from the db) and $bbpassword (from the cookie) still do not match. I even tried switching it around and applying what you have told me to the hash in the DB, but still no luck.

It seems VB has made their product more secure, must much less customizable since no one at VB will answer this question. It may just be time to switch to different software.

The password stored in the cookie is already crypted.

In your code "$bbpassword" must be equal to "md5(md5($password.$salt))".

As I said I tried it to both passwords but I had the salt only in the 2nd hash of the operation... "md5(md5($password).$salt)". But even after I fixed it... meaning I did not rehash the cookie password, and applied what you have said to the db password, it still doesn't work! Heres the script I'm using just to see if i can get the hashes to match:

I did this so I can actually see whats going on.... I am getting the correct salt out of the dB, but the hashes still do not match.

Also... I appreciate the help very much... I've been waiting for an answer for a while here... my whole site is shut down and I'm losing valuable traffic everyday. Thank you very much.

Hi,

I'm not sure if it helps but I've been trying to do something similar but instead of pulling from a cookie I was checking the password from a form field. It took a long time to work out but the actual code I needed was:

$bbpassword = md5(md5($bbpassword).$salt); - Note where the brackets are.

Thats what I'm working on now... I've given up on getting an answer from anyone at VB, and I've lost too much traffic. I'll tell you this is the last time I'm using VB...

Thanks for the info!