vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Password encryption method (https://vborg.vbsupport.ru/showthread.php?t=71482)

Nakor 11-08-2004 09:04 AM
Password encryption method
 
Hey I've recently been trying to code my own user registration/login system for my site that will work alongside VB but I cannot for the life of me work out the EXACT method VB uses for encryption when setting/reading their set password cookie. I know they use an md5 mix of the persons password and that randomly generated key in their user row but aside from that i cannot work out the specifics. Could someone help me out with the EXACT encryption method they use in the form of an example?

Thanks SO much in advace =)

Andreas 11-08-2004 09:19 AM
md5(md5(md5(password) . 'salt')) . 'LicenseNo')

Nakor 11-08-2004 09:31 AM
Really? Didn't realise it used my license number in there, lemme try =)

Nakor 11-08-2004 09:33 AM
Didnt work you have an extra ) in there somewhere?

Nakor 11-08-2004 09:34 AM
echo md5(md5(md5($row['password']) . $row['salt']) . 'custid');
echo md5(md5(md5($row['password'] . $row['salt'])) . 'custid');
Tried both of those and neither match the cookie =(

Andreas 11-08-2004 09:40 AM
I guess $row['password'] is the value of column password in table user?
This ia already md5(md5('password') . 'salt')

And it is not CustID but LicenseNo (found at the top of each PHP file).

Nakor 11-08-2004 09:41 AM
Cheers, lemme try.

Nakor 11-08-2004 09:43 AM
ok I tried it like this:
echo md5($row['password'] . 'LicenseID');
Yet it still doesnt match =(
Also I confirmed that this is definately my license ID and not my customer ID.

Nakor 11-08-2004 09:44 AM
and yep $row['password'] is the password field from the database.

Andreas 11-08-2004 10:26 AM
Hmm, does work for me

Marco van Herwaarden 11-08-2004 10:56 AM
Quote:
Originally Posted by Nakor
and yep $row['password'] is the password field from the database.
The password stored in teh database already is a md5 hash. You can not calculate back teh password from it if this is what you're trying.

Like Kirby said, you can with that formula calculate the hash of a userinputed password to compaire to the (hashed) password stored in the database, to see if it matches.

Link14716 11-08-2004 12:14 PM
Quote:
Originally Posted by MarcoH64
The password stored in teh database already is a md5 hash. You can not calculate back teh password from it if this is what you're trying.

Like Kirby said, you can with that formula calculate the hash of a userinputed password to compaire to the (hashed) password stored in the database, to see if it matches.
He's trying to match to cookie value, with is hashed again with the license number.

Marco van Herwaarden 11-08-2004 12:20 PM
Quote:
Originally Posted by Link14716
He's trying to match to cookie value, with is hashed again with the license number.
Yes that's what he try to do, but if i read back his last 2 posts:
Quote:
ok I tried it like this:
echo md5($row['password'] . 'LicenseID');
Yet it still doesnt match =(
Also I confirmed that this is definately my license ID and not my customer ID.
And
Quote:
and yep $row['password'] is the password field from the database.
It looks like he is trying the md5 on the pass stored in the database.

Oops re-read the whole thing again, and i think i made a mistake here. You're probably right that he already understood it correct.

Nakor 11-08-2004 07:31 PM
Nah I can't get it heh, I'm full on trying all combinations of the password and my license ID but I doesn't salt go in there somewhere? And yeah I'm trying to compare the set cookie with the persons password to see if they REALLY are logged in.

Link14716 11-08-2004 08:26 PM
As said, the password stored in the database is md5(md5(password) . salt).
The password stored in cookies is md5(md5(md5(password) . salt) . licensenumber).

Paul M 11-08-2004 09:21 PM
Sorry to go slightly off topic, but what is the "salt" bit ?

Zachery 11-08-2004 09:35 PM
Quote:
Originally Posted by Paul M
Sorry to go slightly off topic, but what is the "salt" bit ?
Its a random blurb of 3-4 characters generated when someone registereds to further remove the ability of bruteforcing passwords :)

Nakor 11-08-2004 10:08 PM
Ok got it working, thanks heaps for the help =)

the drifter 12-03-2004 07:15 AM
Quote:
Originally Posted by Nakor
Ok got it working, thanks heaps for the help =)
how did you get it working i am trying to do the same

GreeceMonkey 12-06-2004 10:33 AM
Hello people,
can somebody help me with my SQL. I have the same problems as above, and still cant get it working.

Here is mySQL syntax

SELECT MD5(CONCAT(MD5("6536e4053b7eb3375d3ef92acceab8e2") , "Lxxxxxxx"));
the hash above is the one found in my password column in the user table

I took the licence number out of the post, but it is the L number at the top of all my PHP pages, however I cant get this to match the cookie value for the userpassword.

Can any body help ?

Graham

Aceman 12-22-2004 03:22 PM
This code might help you:

Code:
/* password correct? */
        $query = "SELECT salt, password FROM user WHERE username='$username'";
        $result = mysql_query($query) or die("The information you entered does not match our records.");
        $row=mysql_fetch_array($result);

        $dbpassword = $row['password'];
        $salt = $row['salt'];       

        if ($dbpassword == md5(md5($password). $salt)) {
                print "Password correct<br><br>";
        }
        else {
                die("password not correct!");
        }

SupaJ 10-16-2005 11:14 PM
Hi. Been having problems also:

<cfset hash1 = "#hash('lakisic1')# . salt">
<cfset hash2 = "#hash(hash1)# . ******">
<cfoutput>#hash(hash2)#</cfoutput>

That's what I tried. Any other ideas?

Andreas 10-16-2005 11:36 PM
Quote:
Originally Posted by SupaJ
Hi. Been having problems also:

<cfset hash1 = "#hash('lakisic1')# . salt">
<cfset hash2 = "#hash(hash1)# . ******">
<cfoutput>#hash(hash2)#</cfoutput>

That's what I tried. Any other ideas?
Looks like Greek to me.
Sorry, I am not familiar with ColdFusion syntax so I can't help you there.


All times are GMT. The time now is 03:57 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01074 seconds
  • Memory Usage 1,763KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (8)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (23)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete