vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 2.x Full Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=4)
-   -   MD5 Encrypted Passwords (https://vborg.vbsupport.ru/showthread.php?t=23957)

CoffeeMugDude 07-28-2001 10:00 PM

Being an old-fashioned sysadmin, I feel better in the mornings if I cannot view my user's passwords. :D

After installing vBulletin, I was disturbed to find that passwords were stored in cleartext. So, I made a couple of modifications, to ensure that only MD5 encrypted passwords were stored in the database.

I didn't think much of it at the time, I was sure someone had released a hack already. When browsing the VB forums, however, I found that a lot of people wanted a solution like mine.

The main issue of concern seemed to be "But now the lost-password function won't work!"

I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.

I chose MD5 because I'm fond of the concept of "one-way" encryption.

Now, no admin can see a member's password. :-)

Enjoy!

(Instructions, and a database-update script are included in the .zip file at http://www.coffeeintherain.com/scripts/md5_hack.zip )

thewitt 07-29-2001 04:51 PM

Though I have not installed it yet, just looking through the code and the installation instructions, it appears to be very well done!

You are a class act CoffeeMugDude.

Thank you!

-t

CoffeeMugDude 07-29-2001 05:24 PM

Oops, I thought I had posted this in the VB2 hacks forum :D

BTW, thanks thewitt!

ThomasP 07-29-2001 05:58 PM

Hi there,

yes, looks really clean & nice - very impressive!
Will install it asap the next days,

Thanks a bunch! :)
-Tom

pogo 08-02-2001 10:10 AM

Little mistake?

The changes in admin/session.php line 109 must be changed in your instructions.htm.

Then it's working fine for me.

VirtueTech 08-02-2001 10:14 AM

Quote:

Written by CoffeeMugDude
I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.
After reading through your first sentences this was my first worry....And you nailed it....this sounds awesome!

Although I find it very helpful at times when dealing with the users to have their password visible for certain situations. Like testing their account as them etc.

pogo 08-02-2001 11:57 AM

Another one.

In member.php the whole "start update password" routine isn't handled.

Find
Code:

// validate old password
  if ($currentpassword!=$bbuserinfo[password]) {

and replace it with
Code:

// validate old password
  if (md5($currentpassword)!=$bbuserinfo[password]) {

Then find
Code:

$DB_site->query("UPDATE user SET password='".addslashes($newpassword)."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");
and replace it with
Code:

$DB_site->query("UPDATE user SET password='".addslashes(md5($newpassword))."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");

creamy 08-17-2001 08:34 AM

ok first thanks for this hack, it totally rocks, and should be in vbulletin as a default feature, not hack...
i got it working now (i hope) but it took some screwing around... so i'm just putting what i did here so others can do the same:

1) do not edit the file sessions.php until AFTER you have run the update password script - you won't be able to log in to run the script if you do...

2) the file encrypt_all_passwords.php is messed up and will crash - search for "$DB_site_new" and replace with "$DB_site" before you run it...

3) the 2nd step of modifying admin/sessions.php is backwards - search for the 2nd part, and replace with the first!

4) the very last editing step says search for something and there is a '{' at the end... it shouldn't be there!!

5) ignore all line numbers - they refer to vbb 2.0.1!

6) do what Pogo says right above my post... he probably knows what he's talking about :) (but why didn't he complain about the encrypt_all_passwords.php file?)

now im gonna go see if my forum works still... i'll be back to whine and complain if it doesn't... :D

creamy 08-17-2001 08:38 AM

btw this hack seems better than the other encrypting one - i don't see why i would want to give ppl the choice of having their password in plaintext...

creamy 08-17-2001 08:54 AM

hmm
i made some more mistakes... don't do this:

when doing the first edit, don't take the first search match - you want to take the one at about line 115, in the "email a lost password" section (or whatever it is)

and its still not working 100% so i'll edit this later with more info


All times are GMT. The time now is 12:35 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01121 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete