MD5 Encrypted Passwords

Being an old-fashioned sysadmin, I feel better in the mornings if I cannot view my user's passwords.

After installing vBulletin, I was disturbed to find that passwords were stored in cleartext. So, I made a couple of modifications, to ensure that only MD5 encrypted passwords were stored in the database.

I didn't think much of it at the time, I was sure someone had released a hack already. When browsing the VB forums, however, I found that a lot of people wanted a solution like mine.

The main issue of concern seemed to be "But now the lost-password function won't work!"

I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.

I chose MD5 because I'm fond of the concept of "one-way" encryption.

Now, no admin can see a member's password. :-)

Enjoy!

(Instructions, and a database-update script are included in the .zip file at http://www.coffeeintherain.com/scripts/md5_hack.zip )

um, i can't fix the last part on my own... maybe someone who knows php can help

when you tell it to mail you a password, its supposed to generate one from a list of words and mail that one and store it in the database. it's getting stuck on the easy part - opening the list of words.
the instructions say:

Quote:

Save the files "ppassgen.php", "encrypt_all_passwords.php", and "words.txt" to your VB "admin" directory.

You can use any word list to generate your random passwords, I used my system's /usr/dict/words. Just be sure to save your wordlist to "words.txt" in your "admin" directory.

well i did that, and i checked the chmod incase it matters, but even at 777 it doesn't work. i get this error instead:

Code:

Warning: fopen("words.txt","r") - No such file or directory in /home/mod-chi/public_html/admin/ppassgen.php on line 29

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 37

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 38

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 37

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 38
(repeating forever)

the code in the first part of ppassgen.php is:

Code:

<?
/* 
 * function ppassgen() 
 * parameters: 
 * $words = the name of the file w/ the words (one per line) 
 *      or and array of words 
 * $min = the minimum number of words per password 
 * $max = the maximum number of words per password 
 * $cutoff = the minimum number of characters per word 
 * $sep = separator for the words in the password 
 */ 

function ppassgen($words= "words.txt", $min=2, $max=4, $cutoff=5, $sep= "_") { 

	
		// This is here for cases when we email a password from the admin control panel


    if(is_array($words)) { 
        /* if we have passed and array of words, use it */ 
        $word_arr =  "words"; 
         /* 
        while(list($k,$v) = each(${$word_arr})) { 
            echo "$k $v<BR>"; 
        } 
        */ 
    } else { 
        /* read the external file into an array */ 
        $fp = fopen($words, "r");      <---------------------------- LINE 29

        if (!fp) { 
            echo  "[ERROR}: Could not open file $words<BR>\n"; 
            exit; 
        } else { 
            /* assuming words of up to 127 characters */ 
            $word_arr =  "ext_arr"; 
            while(!feof($fp)) {             <---------------------------- LINE 37
                $tword = trim(fgets($fp,128)); <------------------- LINE 38


                /* check for minimum length and for exclusion of numbers */ 
                if ((strlen($tword) >= $cut_off) && !ereg( "[0-9]",$tword)) { 
                    $ext_arr[] = strtolower($tword); 
                } 
            } 
            fclose($fp); 
        } 
    }

i already tried the following:
not putting quotes around the filename
putting a full path to the words.txt
putting a relative path to words.txt

with no success....

[pogo]

The full path works fine for me

Code:

function ppassgen($words= "/full/path/to/words.txt", $min=2, $max=4, $cutoff=5, $sep= "_") {

Yeah, I should have complained about the wrong encrypt_all_pass... file.
And don't forget to check the mod panel index.php. I think you have to modify something there too.

hmm
i might not have put /users/ or whatever at the start of my path, i'll try again...
you know what's the most annoying? this file has code in it to detect if the file open failed, but it's not working

yeah the absolute path to the file works fine...
only problem i have now is when i go to the control panel i have to log in again... dunno if i'm smart enough to figure whats wrong (cookie problem?)
i hope the vbulletin dudes put this in the code soon, i hate hacking my board!

does this work with vb 2.0.3 ?

[pogo]

yepp.

[Raptor]

it seems pogo had some problems

has the install file been updated with the correct details ?

[Raptor]

i have installed this following creamy/pogos changes and it works 100% perfect

thanks

[CoffeeMugDude]

Hi folks,

I've been on holiday, so this whole thread happened in my absence. Thanks for the feedback. Is anyone still struggling? Would it help if I updated the instructions for 2.0.3 ?

yeah that would probably help a lot... this is a kick-ass hack so keeping it updated is good
do you think there could be a problem somewhere? read my earlier post about it making me login again to get into he control panel - this is still happening. not a big problem but might as well fix it if possible.