Importing encrypted passwords

[dave conz]

I need to import a database of usernames and passwords into a new vB installation. The passwords are encrypted using perl like so:
$encryptedpassword = crypt($password,"aa");

I would like to hack vB to recognize either the standard vB password or the imported (encrypted) passwords. I'm thinking that users with the old style password will be able to update their passwords as normal, and the old password will be replaced by a vB-format one.

Will this work? If so, could someone give me some pointers on where to start? Thanks.

[Zachery]

Quote:

Originally Posted by dave conz

I need to import a database of usernames and passwords into a new vB installation. The passwords are encrypted using perl like so:
$encryptedpassword = crypt($password,"aa");

I would like to hack vB to recognize either the standard vB password or the imported (encrypted) passwords. I'm thinking that users with the old style password will be able to update their passwords as normal, and the old password will be replaced by a vB-format one.

Will this work? If so, could someone give me some pointers on where to start? Thanks.

Are you importing from another forum system?

[dave conz]

Sort of - I'm migrating from WebBBS. I'm not going to import the existing messages but I do need to import the usernames and passwords. The complication is that I've been using my own custom MySQL database to manage my WebBBS users, since the WebBBS username/password system is useless.

So the passwords are encrypted using the same format as WebBBS but stored in a different way (MySQL as opposed to WebBBS profiles). I don't believe there's any way to directly import the passwords into the standard vB format. Actually I don't even know how vB formats passwords yet - I haven't got that far.

[dave conz]

Please, can anyone help? All I want to know is where to find the code which says "If the password entered in the form equals the password in the database..." so I can add "...OR if it equals the old encrypted version".

If I can just get some guidance on where to start I'm happy to try and figure out the rest.

[rake]

login.php is the file you need to look at. But if i were you, i'd have the users reset their passwords, or i'd make a script to autogenerate new passwords and mail them.

[dave conz]

Thanks rake. Unfortunately a huge number of our users don't have email addies in the database, and can't add them. It's a long story - I never quite finished writing my user management script for WebBBS when I gave up on it altogether. Now I'm stuck in a horrible no-mans land, with a password/email catch-22.

Anyway, if the only file I need to look at is login.php, I'll have a look and see what I can figure out. Thanks again.

[rake]

actually, you need to look at the includes/functions_login.php file, very last function in the file. Add your code there.

[dave conz]

Ah, I see it. So I believe I need to do something like:

Code:

if (
	$bbuserinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $bbuserinfo['salt']), '') AND
	$bbuserinfo['password'] != md5($md5password . $bbuserinfo['salt']) AND
	$bbuserinfo['password'] != iif($md5password_utf, md5($md5password_utf . $bbuserinfo['salt']), '')
	// Add a line here:
	// AND $bbuserinfo['password'] != (this bit I haven't figured out yet)
	)
{
	return false;
}

... where I have to figure out how to check for the old perl crypt($password,"aa") password. If anyone would like to tell me what I should put in that line, I promise to be your best friend. Otherwise I'm off to learn how PHP deals with encryption.

[rake]

AND $bbuserinfo['password'] != crypt($password,"aa")

that would be it... check the php manual for the crypt function. aa is your salt, right?

[dave conz]

Dammit, that simple!? For some reson I thought PHP handled it differently. As you can see, I'm a PHP newbie. I've got to go away for a while now but I'll try this as soon as I get back. Thanks heaps for your help rake.