Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Converting plaintext passwords to vanilla hash

I have an account management system in place for another system and I'm working on writing a script to export users from that system into the vanilla db using php.

The issue I'm running into is while I can use PHPass, I cannot use the vanilla encryption because it requires most of vanilla to be included/initialized which I cannot seem to easily do in a simple command-line php script. I've also attempted to hash to md5 using PHPass since vanilla is supposed to convert to vanilla hashing upon each user's first login, but the passwords won't authenticate upon login for some reason.

Any suggestions would be greatly appreciated.

Comments

  • LincLinc Detroit Admin

    Just put the plain text password in the Password column, and set the HashMethod to Text. They will hash on their own.

  • They hash on their own, but only after each user logs in. Until someone auths on their account, those passwords are stored in plaintext. Which is bad.

  • LincLinc Detroit Admin

    Did you try setting the HashMethod to md5?

  • WHen I try the md5 method, I use PHPass to encrypt the plaintext password and store that in the Password column, then set the HashMethod to md5. It fails authenticating my login when I try to log in when I do this.

  • LincLinc Detroit Admin

    Did you try just using md5() to hash it?

  • I believe I did and that failed as well. But, let me try now to confirm and I will get back with you.

  • set HashMethod to Vanilla and just md5 them, it should rehash on login.

    grep is your friend.

  • Confirmed -- that method fails as well. Below is the portion of my script that seems to be not working.

    //connect to db and load in single entry of data via csv
    $name = $data[0];                          //$data[0] is my username
    $password = md5($data[1]);           //$data[1] is my plaintext password
    $hashMethod = $data[2];                //$data[2] is md5
    $email = $data[3];                           //$data[3] is email
    $title = $data[4];                             //$data[4] is title
    
    echo "Inserting User ".$name."\n";
    
    $query_str="INSERT INTO GDN_User (Name,Password,HashMethod,Email,Title) VALUES ('".addslashes($name)."','".addslashes($password)."','".addslashes($hashMethod)."','".addslashes($email)."','".addslashes($title)."')";
    
    echo $query_str."\n";        //output to confirm I'm not el loco
    mysql_query($query_str);  //exec the query str
    
  • I will try hashmethod vanilla

  • MaddawgX9MaddawgX9 New
    edited March 2015

    HashMethod = Vanilla fails as well.

  • I will also mention that everything works fine when I run my script and set the password as plaintext, so I know that either I suck at making an md5 hash or Vanilla sucks at checking plaintext passwords against it for one reason or another.

  • I will also mention I have checked the md5 hash of my test password against other implementations and it's getting put into the database correctly.

  • Perhaps there is a config var I need to edit in garden to enable md5 hash checking?

  • hash method Text and md5 don't actually exist, they just to default to Vanilla anyway.

    it should work see here

    https://github.com/vanilla/vanilla/blob/master/library/core/class.passwordhash.php#L193-L197

    grep is your friend.

  • I'll mess around a bit more, maybe have vanilla post some output to log so I can see what exactly in authentication is failing. I'm thinking it's possible it's failing on other checks because I'm not inserting any permissions role for the new user. In Terminator Voice I'll be back.

  • It looks as if it's an issue with me not assigning a user role. I'm adding the user to the GDN_Users table but I need to add a role linkage to GDN_UserRole and map the new user's ID to an existing role. The reason it had worked when I did plaintext was because I had gone in and edited the user account to have a role after I added it with my script. I will follow up shortly to confirm this is in fact the problem.

  • Confirmed. You have to add an entry in the GDN_UserRole table. Once I did, everything worked and all was right in the world. Thanks for the help.

  • Are you wanting to use the default roles like member for most of these users. I suggest you rebuild roles, to ensure everything is tickety-boo.

    grep is your friend.

Sign In or Register to comment.