vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   How are passwords stored? (https://vborg.vbsupport.ru/showthread.php?t=116500)

chaudruc 05-23-2006 09:18 PM
How are passwords stored?
 
Hi, I am trying to add a user directly into the 'user' table - not using the vBulletin interface and need to know how the password is stored... I have tried to INSERT it as md5($password) but that will not validate... is there some other twist that vBulletin does before it stores the passwords using the GUI... ?

Thanks for any help.

Chris Chaudruc

peterska2 05-23-2006 09:30 PM
It double MD5's it and also adds salt (a random key per user per forum).

The best way to manually add a user is via the ACP as you can then add the user details in plain text and then vB does all the encryption for you.

chaudruc 05-23-2006 09:46 PM
Hi, thanks for your reply... I cannot use the ACP in this instance

So would I do this... to enter the password properly in the db.

md5(md5($salt.$password)) ?

Is it somewhere in the code? I have been all through register.php and cannot find how the password is treated before it is stored... any idea where I Could look?

Thanks for your help

Reeve of shinra 05-24-2006 01:03 AM
Passwords are: md5(md5('PlaintextPassword'), salt)

Try looking at includes/class_dm_user.php ... the datamanager will also do the work for you.

Ntfu2 05-24-2006 01:09 AM
check in the includes folder, class_dm_user.php there is alot in there around line 69x to like 8xx ?

Quote:
Originally Posted by Maybe this is it
Code:
        // #############################################################################
        // password related

        /**
        * Converts a PLAIN TEXT (or valid md5 hash) password into a hashed password
        *
        * @param        string        The plain text password to be converted
        *
        * @return        boolean
        */
        function verify_password(&$password)
        {
                if (!($salt = $this->fetch_field('salt')))
                {
                        $this->user['salt'] = $salt = $this->fetch_user_salt();
                }

                // generate the password
                $password = $this->hash_password($password, $salt);

                $this->set('passworddate', 'FROM_UNIXTIME(' . TIMENOW . ')', false);

                return true;
        }

        /**
        * Verifies that the user salt is valid
        *
        * @param        string        The salt string
        *
        * @return        boolean
        */
        function verify_salt(&$salt)
        {
                $this->error('::You may not set salt manually.::');
                return false;
        }

        /**
        * Takes a plain text or singly-md5'd password and returns the hashed version for storage in the database
        *
        * @param        string        Plain text or singly-md5'd password
        *
        * @return        string        Hashed password
        */
        function hash_password($password, $salt)
        {
                // if the password is not already an md5, md5 it now
                if ($password == '')
                {
                }
                else if (!$this->verify_md5($password))
                {
                        $password = md5($password);
                }

                // hash the md5'd password with the salt
                return md5($password . $salt);
        }

        /**
        * Generates a new user salt string
        *
        * @param        integer        (Optional) the length of the salt string to generate
        *
        * @return        string
        */
        function fetch_user_salt($length = SALT_LENGTH)
        {
                $salt = '';

                for ($i = 0; $i < $length; $i++)
                {
                        $salt .= chr(rand(32, 126));
                }

                return $salt;
        }

        /**
        * Checks to see if a password is in the user's password history
        *
        * @param        integer        User ID
        * @param        integer        History time ($permissions['passwordhistory'])
        *
        * @return        boolean        Returns true if password is in the history
        */
        function check_password_history($password, $historylength)
        {
                // delete old password history
                $this->dbobject->query_write("
                        DELETE FROM " . TABLE_PREFIX . "passwordhistory
                        WHERE userid = " . $this->existing['userid'] . "
                        AND passworddate <= FROM_UNIXTIME(" . (TIMENOW - $historylength * 86400) . ")
                ");

                // check to see if the password is invalid due to previous use
                if ($historylength AND $historycheck = $this->dbobject->query_first("
                        SELECT UNIX_TIMESTAMP(passworddate) AS passworddate
                        FROM " . TABLE_PREFIX . "passwordhistory
                        WHERE userid = " . $this->existing['userid'] . "
                        AND password = '" . $this->dbobject->escape_string($password) . "'"))
                {
                        return true;
                }
                else
                {
                        return false;
                }
        }
Edit* someone beat me to it while i was searching for this :D


All times are GMT. The time now is 06:19 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01010 seconds
  • Memory Usage 1,745KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (5)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete