[release vb2] Database Password Encryption

Updated 15th July 2001
Simplish hack that allows end users to chose if they want to store encrypted versions of their password.

Full details of how this is implemented are contained in the file.
Requirements:
vBulletin 2.0.0
This has not been tested on rc1/2/3 beta1-5. It might work or it might not.

From the june 3rd update onwards a installation script is included, full details in the instructions.

[dabean]

I had orginally planned on improving the hack to allow users to revert to plain text passwords, but forgot to post exactly how to do it. Yes md5 is indeed non-reversable but you can allways prompt for a new password. If anyone really wants the exact code to do this then I can post it.

yes, do post the code. i'm to lazy to figure it out myself.

[dabean]

first all you need to fix a little bug in hack.

In member.php Find

PHP Code:

  // validate old password
  if ($currentpassword!=$bbuserinfo[password]) {
    eval("standarderror(\"".gettemplate("error_wrongpassword")."\");");
    exit;
  } 


above it add

PHP Code:

  // secure password mod - encrypt password
  if ($bbuserinfo[encryptedpass]==1) {
    $currentpassword=md5($currentpassword);
  } // end secure password mod 


now for the actual improvement.

File: member.php

Find...

PHP Code:

  if ($newpassword!=$newpasswordconfirm) {
    eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
    exit;
  }

  // secure passwords
  if ($bbuserinfo[encryptedpass]==1) {
    $newpassword=md5($newpassword);
  }
  // end secure passwords 


replace it with

PHP Code:

  if ($newpassword!=$newpasswordconfirm) {
    eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
    exit;
  }

  // secure passwords
  if ($encryption=="off" && $bbuserinfo[encryptedpass]==1) {
    $DB_site->query("UPDATE user SET encryptedpass=0 WHERE userid='$bbuserinfo[userid]'");
  } else {
    if ($bbuserinfo[encryptedpass]==1) {
      $newpassword=md5($newpassword);
    }
  }
  // end secure passwords 


Find

PHP Code:

  // secure passwords
  if ($bbuserinfo[encryptedpass]==1) {
    // md5 hash password & store todo
    $cryptpassword=1;
    $urltoforward=""
  } else { 


Replace with

PHP Code:

  // secure passwords
  if ($bbuserinfo[encryptedpass]==1 && $cryptpassword==0) {
    // md5 hash password & store todo
    $cryptpassword=1;
    $downgradepass=1;
  } else { 


Find

PHP Code:

  } else {      
      $goto="usercp.php?s=$session[sessionhash]";
  } 


replace with

PHP Code:

  } else {         // secure passwords
    if($downgradepass!=1) {
      $goto="usercp.php?s=$session[sessionhash]";
    } else {
      $goto="member.php?s=$session[sessionhash]&action=editpassword&encryption=off";
    }
  }           // end secure passwords 


now for the templates

template modifypassword
below
<input type="hidden" name="s" value="$session[sessionhash]">

add
<input type="hidden" name="encryption" value="$encryption">

[webhost]

Is there anyway you can post a updated version of this hack in your first post of the thread. I saw where the last time you edited it was on the 5th I believe but I have seen on your last reply that you made changes on the 28th. Also does your zip also have Kevin's file in it?

[dabean]

Okay I've altered the zip to include the previous modifications and there is/was a table altering script included previously and currently so Kevin's file is no longer needed.

[webhost]

thanks

[DarkReaper]

Damn that took a while! finallty finished though and it works great, woo hoo!

[rebby]

Quote:

Originally posted by DarkReaper
Damn that took a while! finallty finished though and it works great, woo hoo!

yes, this hack is very slick... i can't wait until this is in the default install of vb...

[rebby]

i just upgraded to 2.0.3 and forgot about doing this hack

what changes might i need???

[dabean]

Not looked at 2.0.3 yet but nearly the whole hack would need reapplying. I'd guess.