|
Being an old-fashioned sysadmin, I feel better in the mornings if I cannot view my user's passwords. :D
After installing vBulletin, I was disturbed to find that passwords were stored in cleartext. So, I made a couple of modifications, to ensure that only MD5 encrypted passwords were stored in the database. I didn't think much of it at the time, I was sure someone had released a hack already. When browsing the VB forums, however, I found that a lot of people wanted a solution like mine. The main issue of concern seemed to be "But now the lost-password function won't work!" I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database. I chose MD5 because I'm fond of the concept of "one-way" encryption. Now, no admin can see a member's password. :-) Enjoy! (Instructions, and a database-update script are included in the .zip file at http://www.coffeeintherain.com/scripts/md5_hack.zip ) |
Though I have not installed it yet, just looking through the code and the installation instructions, it appears to be very well done!
You are a class act CoffeeMugDude. Thank you! -t |
Oops, I thought I had posted this in the VB2 hacks forum :D
BTW, thanks thewitt! |
Hi there,
yes, looks really clean & nice - very impressive! Will install it asap the next days, Thanks a bunch! :) -Tom |
Little mistake?
The changes in admin/session.php line 109 must be changed in your instructions.htm. Then it's working fine for me. |
Quote:
Although I find it very helpful at times when dealing with the users to have their password visible for certain situations. Like testing their account as them etc. |
Another one.
In member.php the whole "start update password" routine isn't handled. Find Code:
// validate old passwordCode:
// validate old passwordCode:
$DB_site->query("UPDATE user SET password='".addslashes($newpassword)."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");Code:
$DB_site->query("UPDATE user SET password='".addslashes(md5($newpassword))."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'"); |
ok first thanks for this hack, it totally rocks, and should be in vbulletin as a default feature, not hack...
i got it working now (i hope) but it took some screwing around... so i'm just putting what i did here so others can do the same: 1) do not edit the file sessions.php until AFTER you have run the update password script - you won't be able to log in to run the script if you do... 2) the file encrypt_all_passwords.php is messed up and will crash - search for "$DB_site_new" and replace with "$DB_site" before you run it... 3) the 2nd step of modifying admin/sessions.php is backwards - search for the 2nd part, and replace with the first! 4) the very last editing step says search for something and there is a '{' at the end... it shouldn't be there!! 5) ignore all line numbers - they refer to vbb 2.0.1! 6) do what Pogo says right above my post... he probably knows what he's talking about :) (but why didn't he complain about the encrypt_all_passwords.php file?) now im gonna go see if my forum works still... i'll be back to whine and complain if it doesn't... :D |
btw this hack seems better than the other encrypting one - i don't see why i would want to give ppl the choice of having their password in plaintext...
|
hmm
i made some more mistakes... don't do this: when doing the first edit, don't take the first search match - you want to take the one at about line 115, in the "email a lost password" section (or whatever it is) and its still not working 100% so i'll edit this later with more info |
| All times are GMT. The time now is 12:35 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|