Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.5 > vBulletin 3.5 Add-ons

Reply
 
Thread Tools
[SMF] Imported User Password Hack Details »»
[SMF] Imported User Password Hack
Version: 0.11, by muf muf is offline
Developer Last Online: Apr 2021 Show Printable Version Email this Page

Version: 3.5.0 Rating:
Released: 09-29-2005 Last Update: Never Installs: 12
Template Edits
Code Changes  
No support by the author.

Resource : [SMF] Imported User Password Hack
Type : Source Code Modification
Version : 0.1
Author : mf @ http://www.videngineering.net

Description : After SMF import, no need to reset password!

vBulletin impex hashes all imported passwords with salt; md5(old_password . salt). For most forums, that means md5(md5(password) . salt). For SMF, however, that means md5(md5_hmac(password, username) . salt). Since vB login checks for md5(md5(password) . salt), that means an imported SMF user will have to have his/her password reset. That, or you install this little hack.

Tested : Yes, tested on 3.5.0 Stable (will not work on vB 2.x or 3.0.x)

Screenshot : None, obviously

Notes : My first hack :speechless:

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #12  
Old 10-04-2005, 10:23 AM
Floris Floris is offline
 
Join Date: Jan 2002
Posts: 1,898
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Loukrhtia
I just WISH there was something like this when I imported SMF...
I lost a bunch of active members because of the reset...
Sorry, the 'turn back time' plugin for 3.5 isn't made yet. (50% done)
Reply With Quote
  #13  
Old 10-04-2005, 10:24 AM
Floris Floris is offline
 
Join Date: Jan 2002
Posts: 1,898
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by San
I have installed this modification correctly in 3.5 stable but it does not work

why?
We have of course NO clue.

What exactly does not work, can't they login? Do you get an error - more information is as usual 'very handy'.
Reply With Quote
  #14  
Old 10-04-2005, 10:50 AM
San San is offline
 
Join Date: Sep 2005
Location: Cagliari
Posts: 11
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Floris
We have of course NO clue.

What exactly does not work, can't they login? Do you get an error - more information is as usual 'very handy'.
You have entered an invalid username or password. Please press the back button, enter the correct details and try again. Don't forget that the password is case sensitive. Forgotten your password? Click here!

You have used 1 out of 5 login attempts. After all 5 have been used, you will be unable to login for 15 minutes.


I do not get any code's error but simply the forum does not recognize SMF imported password
Reply With Quote
  #15  
Old 10-05-2005, 10:33 AM
DianaBlu DianaBlu is offline
 
Join Date: Oct 2005
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hello
Same problem,as described above...
I did SMF import,installed (correctly) required hack,but passwords are not recognized and I do not get any specific error...
Any suggestion/fix available?

Thanks,have a good day
Reply With Quote
  #16  
Old 10-26-2005, 05:19 PM
muf muf is offline
 
Join Date: Sep 2005
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am extremely sorry, but I cannot seem to reproduce your issues. I just went through all the steps on my newly upgraded 3.5.0 stable vBulletin, and I can successfully login SMF users. The only thing I can think of is your SMF forum might have been imported incorrectly.
Reply With Quote
  #17  
Old 11-18-2005, 03:12 PM
Krisekocm Krisekocm is offline
 
Join Date: Nov 2005
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

3.5.1

not working

thx any way
Reply With Quote
  #18  
Old 11-21-2005, 12:25 AM
mox- mox- is offline
 
Join Date: Nov 2005
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I recently purchased vbulletin and I was a bit disappointed that my users would have to reset their passwords to login to the "new" forum

I'm really happy with this hack.. I just tried it and it's working perfectly !

I just upgraded from SMF 1.0.5 to vBulletin 3.5.1

THANK YOU SOOO MUCH !
Reply With Quote
  #19  
Old 11-21-2005, 04:19 PM
Jerry's Avatar
Jerry Jerry is offline
 
Join Date: Jun 2003
Posts: 64
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by muf
vBulletin impex hashes all imported passwords with salt; md5(old_password . salt).
That is wrong, ImpEx, will only hash passwords that way if they are already md5(), if they are plain text then it goes md5(md5($password) . salt). So it depends on the source system, SMF can't be imported by default.

ImpEx's primary goal is to protect the database, not to force in passwords that break the schema and code and can be easily reset.

I explain how easy it is to reset the passwords here :

http://www.vbulletin.com/docs/html/impex_passwords

Also making users update passwords is more secure as people rarely rotate them.
Reply With Quote
  #20  
Old 11-28-2005, 01:39 PM
muf muf is offline
 
Join Date: Sep 2005
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Jerry
That is wrong, ImpEx, will only hash passwords that way if they are already md5(), if they are plain text then it goes md5(md5($password) . salt). So it depends on the source system, SMF can't be imported by default.
That would seem logical, however I did not know/expect that there actually are versions of forum software that store the password in plaintext. And SMF can most certainly be imported by default, I've used impex to convert from SMF 1.0 -> vB 3.0.8, and then used the upgrade system to go from vB 3.0.8 to 3.5 (first RC2, then Gold).
Quote:
Originally Posted by Jerry
Also making users update passwords is more secure as people rarely rotate them.
I'm sorry, but that is nonsense. md5(md5(password) . salt) is just as secure as md5(md5_hmac(password, username) . salt). Algorithmically there is nothing less secure about HMAC than MD5, HMAC is arguably more secure because it uses a more complex algorithm. I know compatibility-wise resetting passwords is the recommended action from Jelsoft, but at least stick with the truth and don't say it's "more secure", because it isn't. If you ask users to reset their passwords 99.9% will reset it to their old password, so the only difference will be the way it is stored in the database.
Reply With Quote
  #21  
Old 11-28-2005, 01:47 PM
Floris Floris is offline
 
Join Date: Jan 2002
Posts: 1,898
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by muf
That would seem logical, however I did not know/expect that there actually are versions of forum software that store the password in plaintext. And SMF can most certainly be imported by default, I've used impex to convert from SMF 1.0 -> vB 3.0.8, and then used the upgrade system to go from vB 3.0.8 to 3.5 (first RC2, then Gold).

I'm sorry, but that is nonsense. md5(md5(password) . salt) is just as secure as md5(md5_hmac(password, username) . salt). Algorithmically there is nothing less secure about HMAC than MD5, HMAC is arguably more secure because it uses a more complex algorithm. I know compatibility-wise resetting passwords is the recommended action from Jelsoft, but at least stick with the truth and don't say it's "more secure", because it isn't. If you ask users to reset their passwords 99.9% will reset it to their old password, so the only difference will be the way it is stored in the database.
He means it doesn't hurt to have users change their password anyway, despite the layer of security, passwords should be rotated more frequently to avoid abuse.
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:26 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04550 seconds
  • Memory Usage 2,302KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (7)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete