[SMF] Imported User Password Hack

Resource : [SMF] Imported User Password Hack
Type : Source Code Modification
Version : 0.1
Author : mf @ http://www.videngineering.net

Description : After SMF import, no need to reset password!

vBulletin impex hashes all imported passwords with salt; md5(old_password . salt). For most forums, that means md5(md5(password) . salt). For SMF, however, that means md5(md5_hmac(password, username) . salt). Since vB login checks for md5(md5(password) . salt), that means an imported SMF user will have to have his/her password reset. That, or you install this little hack.

Tested : Yes, tested on 3.5.0 Stable (will not work on vB 2.x or 3.0.x)

Screenshot : None, obviously

Notes : My first hack :speechless:

[Floris]

Quote:

Originally Posted by Loukrhtia

I just WISH there was something like this when I imported SMF...
I lost a bunch of active members because of the reset...

Sorry, the 'turn back time' plugin for 3.5 isn't made yet. (50% done)

[Floris]

Quote:

Originally Posted by San

I have installed this modification correctly in 3.5 stable but it does not work

why?

We have of course NO clue.

What exactly does not work, can't they login? Do you get an error - more information is as usual 'very handy'.

[San]

Quote:

Originally Posted by Floris

We have of course NO clue.

What exactly does not work, can't they login? Do you get an error - more information is as usual 'very handy'.

You have entered an invalid username or password. Please press the back button, enter the correct details and try again. Don't forget that the password is case sensitive. Forgotten your password? Click here!

You have used 1 out of 5 login attempts. After all 5 have been used, you will be unable to login for 15 minutes.

I do not get any code's error but simply the forum does not recognize SMF imported password

[DianaBlu]

Hello
Same problem,as described above...
I did SMF import,installed (correctly) required hack,but passwords are not recognized and I do not get any specific error...
Any suggestion/fix available?

Thanks,have a good day

[muf]

I am extremely sorry, but I cannot seem to reproduce your issues. I just went through all the steps on my newly upgraded 3.5.0 stable vBulletin, and I can successfully login SMF users. The only thing I can think of is your SMF forum might have been imported incorrectly.

[Krisekocm]

3.5.1

not working

thx any way

[mox-]

I recently purchased vbulletin and I was a bit disappointed that my users would have to reset their passwords to login to the "new" forum

I'm really happy with this hack.. I just tried it and it's working perfectly !

I just upgraded from SMF 1.0.5 to vBulletin 3.5.1

THANK YOU SOOO MUCH !

[Jerry]

Quote:

Originally Posted by muf

vBulletin impex hashes all imported passwords with salt; md5(old_password . salt).

That is wrong, ImpEx, will only hash passwords that way if they are already md5(), if they are plain text then it goes md5(md5($password) . salt). So it depends on the source system, SMF can't be imported by default.

ImpEx's primary goal is to protect the database, not to force in passwords that break the schema and code and can be easily reset.

I explain how easy it is to reset the passwords here :

http://www.vbulletin.com/docs/html/impex_passwords

Also making users update passwords is more secure as people rarely rotate them.

[muf]

Quote:

Originally Posted by Jerry

That is wrong, ImpEx, will only hash passwords that way if they are already md5(), if they are plain text then it goes md5(md5($password) . salt). So it depends on the source system, SMF can't be imported by default.

That would seem logical, however I did not know/expect that there actually are versions of forum software that store the password in plaintext. And SMF can most certainly be imported by default, I've used impex to convert from SMF 1.0 -> vB 3.0.8, and then used the upgrade system to go from vB 3.0.8 to 3.5 (first RC2, then Gold).

Quote:

Originally Posted by Jerry

Also making users update passwords is more secure as people rarely rotate them.

I'm sorry, but that is nonsense. md5(md5(password) . salt) is just as secure as md5(md5_hmac(password, username) . salt). Algorithmically there is nothing less secure about HMAC than MD5, HMAC is arguably more secure because it uses a more complex algorithm. I know compatibility-wise resetting passwords is the recommended action from Jelsoft, but at least stick with the truth and don't say it's "more secure", because it isn't. If you ask users to reset their passwords 99.9% will reset it to their old password, so the only difference will be the way it is stored in the database.

[Floris]

Quote:

Originally Posted by muf

That would seem logical, however I did not know/expect that there actually are versions of forum software that store the password in plaintext. And SMF can most certainly be imported by default, I've used impex to convert from SMF 1.0 -> vB 3.0.8, and then used the upgrade system to go from vB 3.0.8 to 3.5 (first RC2, then Gold).

I'm sorry, but that is nonsense. md5(md5(password) . salt) is just as secure as md5(md5_hmac(password, username) . salt). Algorithmically there is nothing less secure about HMAC than MD5, HMAC is arguably more secure because it uses a more complex algorithm. I know compatibility-wise resetting passwords is the recommended action from Jelsoft, but at least stick with the truth and don't say it's "more secure", because it isn't. If you ask users to reset their passwords 99.9% will reset it to their old password, so the only difference will be the way it is stored in the database.

He means it doesn't hurt to have users change their password anyway, despite the layer of security, passwords should be rotated more frequently to avoid abuse.