Blog Documentation Try Vanilla Cloud
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Password hashing

chrisc17chrisc17
edited March 2009 in Vanilla 1.0 Help
Hi, I've been reading the forum comments on password hashing going back to October last year. I'm new to php so am doing the very basics at the moment. I'm trying to use the user names and passwords that people has registered for the forum for other purposes (a bit like toon-c's discussion). I've managed to extract the user names and passwords from the table. In doing testing, I registered a new user with a password called "the". I then proceed to print a list of all the passwords from the LUM_User Table Password Field. I have copied the following code from the test.php file from phpass main website and incorporated it into my site. However, the hash produced from this snippet of code doesn't match the hashes in the Password field in LUM_User. Any ideas? (PS: I can't use any vanilla authenticate methods because thats beyond my comprehension at the moments, I would get confused with all the includes etc) Thanks , Chris *** The output of the hash snippet is Hash: $P$BDeJeLwKVnru7k2PQAFEOlm39irxBp/ Check correct: '1' (should be '1') *** $ok = 0; # Try to use stronger but system-specific hashes, with a possible fallback to # the weaker portable hashes. $t_hasher = new PasswordHash(8, FALSE); $correct = "the"; $hash = $t_hasher->HashPassword($correct); print "Hash: " . $hash . "\n"; $check = $t_hasher->CheckPassword($correct, $hash); if ($check) $ok++; print "Check correct: '" . $check . "' (should be '1')\n";

Comments

  • Options
    DinoboffDinoboff
    edited March 2009
    With phpass, two hashes created with the same password should be different. Also the algorithm to create the hash is very slow. It make brute forcing the password currently impossible. The first - or last, I don't remember - 8 characters are the salt key used to create the hash. To check a password, you need to get the hash and use the salt key it contains to recreate the same hash with the same password. Vanilla can work with plain password and md5 hash, so you can still use md5 hash. You just have to overwrite vanilla default login, since for each login if the hash is not a phppass one it will regenerate the hash and save it. Check this addon if you want to use something md5 only hash: http://dl.getdropbox.com/u/83967/Md5authenticator-0.1.2.zip
  • Options
    DinoboffDinoboff
    ps: vanilla use phpass. It only extend it so that it can use plain and md5 stored password. You should use phpass in your own project.
  • Options
    DinoboffDinoboff
    pps: I didn't upload that add-on on the repository because I think it is a bad idea to use it. But anybody can upload it and support.
  • Options
    chrisc17chrisc17
    ah, knowing that it was dependant on the salt? made me realise that you can use the predefined function. I have tried gensalt_private but realised just to use checkpassword(), so can stay with phpass rather than use md5. it looks a bit trickier to downgrade to md5 than to stay on phpass. while($row = mysql_fetch_array($result444)) { extract($row); $foundpassword = $t_hasher->CheckPassword($frompassword, $Password); if ($foundpassword) { echo 'found!'; } } Thanks very much for the comments. been spending quite a while on this
Sign In or Register to comment.