Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 03-20-2004, 05:55 PM
ManagerJosh's Avatar
ManagerJosh ManagerJosh is offline
 
Join Date: Feb 2002
Posts: 348
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Trying to Understand SALT and the New Password system

Okay I'm trying to integrate vBulletin with another php app right now and it uses a traditional MD5 hash.

But I'm really confused on what's going on here because I see evidence of double MD5 and single MD5 with salts.

Could someone explain to me what's going on and what's happened? I understand the general concept of salt and that's to randomize the password even further.

Any information would be nice... (and some directions on pointing me to the right direction would be nice as well )
Reply With Quote
  #2  
Old 03-20-2004, 06:01 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

hmm, the easy way to explain:

$password -> the real password
md5($password) -> password in vb2
md5(md5($password) . 'licensenr') -> password in vb3

this is to make all hashe differ on different boards, so even if the real password is identical, the hashes on two different boards aren't
Reply With Quote
  #3  
Old 03-20-2004, 06:10 PM
ManagerJosh's Avatar
ManagerJosh ManagerJosh is offline
 
Join Date: Feb 2002
Posts: 348
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Xenon
hmm, the easy way to explain:

$password -> the real password
md5($password) -> password in vb2
md5(md5($password) . 'licensenr') -> password in vb3

this is to make all hashe differ on different boards, so even if the real password is identical, the hashes on two different boards aren't
so if I just took this..

PHP Code:
$hashedpassword md5($_POST['password_md5']); 
it would give me the exact same MD5 hash as in vB2.x?
Reply With Quote
  #4  
Old 03-20-2004, 06:13 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

nope, $_POST['password_md5'] is already md5'ed (AFAIK) and therefore it already contains the vb2 pw hash
Reply With Quote
  #5  
Old 03-20-2004, 06:26 PM
ManagerJosh's Avatar
ManagerJosh ManagerJosh is offline
 
Join Date: Feb 2002
Posts: 348
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Xenon
nope, $_POST['password_md5'] is already md5'ed (AFAIK) and therefore it already contains the vb2 pw hash
How confident are you that $_POST['password_md5'] is already MD5ed?
Reply With Quote
  #6  
Old 03-20-2004, 09:39 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i'm 99% sure as the _md5 tells me, it is alreay md5ed

but as the md5ed value is done per JS, you might think of those user which doesn't have JS enabled
Reply With Quote
  #7  
Old 03-20-2004, 10:04 PM
ManagerJosh's Avatar
ManagerJosh ManagerJosh is offline
 
Join Date: Feb 2002
Posts: 348
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm trying to make sure these are the variables I think they are...

In profile.php,

is:

$currentpassword_md5
$newpassword_md5

the equalvent of text md5 hashed already too??
Reply With Quote
  #8  
Old 03-20-2004, 10:12 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

yes, _md5 means it has been md5ed one times
Reply With Quote
  #9  
Old 03-20-2004, 11:30 PM
ManagerJosh's Avatar
ManagerJosh ManagerJosh is offline
 
Join Date: Feb 2002
Posts: 348
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Xenon
yes, _md5 means it has been md5ed one times
Thanks for taking the time out of your schedule to answer my questions Stefan
Reply With Quote
  #10  
Old 03-20-2004, 11:39 PM
Link14716's Avatar
Link14716 Link14716 is offline
 
Join Date: Jun 2002
Location: Georgia, USA
Posts: 2,519
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ManagerJosh
Thanks for taking the time out of your schedule to answer my questions Stefan
In vB 2.0.x and below, passwords were stored as $password.

In vB 2.2.0 through 2.3.4, passwords were stored as md5($password).

In vB3, passwords are stored two sperate ways. In the database, passwords are store as md5(md5($password) . $salt)) In cookies, I believe they are stored as md5(md5(md5($password) . $salt) . $licensenumber))), although I'm not quite sure on that.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:21 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08116 seconds
  • Memory Usage 2,257KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete