Where's the Salt Stored?

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Get Involved
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
User avatar
danallen
Registered User
Posts: 32
Joined: Fri Jun 20, 2014 9:36 am

Where's the Salt Stored?

Post by danallen » Tue Oct 14, 2014 4:02 am

I've read the salt for passwords is stored in the database. Where? I am looking at the users table, at two accounts with the same password. I log into both accounts with the same password, no problem. However, the values in user_password field are not the same. I am thinking that means different salt values are used for each of the two passwords. I am wondering where that salt information is stored.

Any information on this topic would be much appreciated.

Thank you.
phpbb3.12
Last edited by Oyabun1 on Tue Oct 14, 2014 9:36 pm, edited 1 time in total.
Reason: Moved from 3.1.x Support

User avatar
david63
Registered User
Posts: 16407
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Where's the Salt Stored?

Post by david63 » Tue Oct 14, 2014 7:43 am

Are you sure that the passwords are the same? Is it possible that one of them has an upper case character that the other one does not?
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10341
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Where's the Salt Stored?

Post by Noxwizard » Tue Oct 14, 2014 9:56 pm

The salt is stored as part of the password hash. A random salt is generated each time a password hash is created, so two passwords may be the same, but will have different hashes.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

User avatar
danallen
Registered User
Posts: 32
Joined: Fri Jun 20, 2014 9:36 am

Re: Where's the Salt Stored?

Post by danallen » Tue Nov 11, 2014 1:36 pm

david63 wrote:Are you sure that the passwords are the same? Is it possible that one of them has an upper case character that the other one does not?
Related question...changing what I am asking ...

The reason I know that passwords are the same is I make them by the following process:
1. Change a user's password, using acp.
2. Using phpmyadmin update other user accounts like this:
update phpbb3x_users set user_password = (select user_password from phpbb2x_users where user_id = (*** the one I changed with acp **) where user_id <> (** my user_id**) so everyone but me has the same password.;

So when I do that, why am I able login into some accounts but not others with the password that generated the original hash?
Last edited by danallen on Tue Nov 11, 2014 1:41 pm, edited 1 time in total.

User avatar
danallen
Registered User
Posts: 32
Joined: Fri Jun 20, 2014 9:36 am

Re: Where's the Salt Stored?

Post by danallen » Tue Nov 11, 2014 1:39 pm

Noxwizard wrote:The salt is stored as part of the password hash. A random salt is generated each time a password hash is created, so two passwords may be the same, but will have different hashes.
Why does copying a hash directly in the DB from one account to another, sometimes, but not always, result in a password I can use. Icipied the same hash to a number of accounts, where I knew the password for the hash. On some accounts, I can login with the password, on others, I cannot. Why is this?

There appears to be a correlation between the hash, passowrd, and user group.

User avatar
RaythXC
Registered User
Posts: 150
Joined: Wed Jun 13, 2012 1:23 pm

Re: Where's the Salt Stored?

Post by RaythXC » Tue Nov 11, 2014 6:48 pm

You simply copied the hashed password from one account to the other via the database. This means that when phpbb tries to login to the account you copied to, it is dehashing the password incorrectly since all hashes are made whenever a password is made/changed etc.

User avatar
danallen
Registered User
Posts: 32
Joined: Fri Jun 20, 2014 9:36 am

Re: Where's the Salt Stored?

Post by danallen » Tue Nov 18, 2014 9:48 pm

Thank you for helping me understand this.
Noxwizard wrote:The salt is stored as part of the password hash. A random salt is generated each time a password hash is created, so two passwords may be the same, but will have different hashes.
Two questions:
1. It seems to me that if that were all there is to it, then copying the user_password field from one user record to another would give the receiving user record the same password as the first. It works sometimes, but not always. Why is that?

2. Can you explain how the salt is stored with the hash? Is it in certain positions within the hash?
RaythXC wrote:You simply copied the hashed password from one account to the other via the database. This means that when phpbb tries to login to the account you copied to, it is dehashing the password incorrectly since all hashes are made whenever a password is made/changed etc.
Why does it work sometimes, but not others?

What is dehashing?

User avatar
RaythXC
Registered User
Posts: 150
Joined: Wed Jun 13, 2012 1:23 pm

Re: Where's the Salt Stored?

Post by RaythXC » Wed Nov 19, 2014 6:32 pm

The only time it'd work is if the salt was exactly the same on both accounts.

And dehashing isn't the correct term. When you login on phpbb it essentially does the following:
1. Check database for username existing.
2. If it does, get the salt for that account
3. Salt and hash the password you entered.
4. Compare the entered password after hashing, to the stored hashed password in the database.
5. If equal, log you in.

User avatar
danallen
Registered User
Posts: 32
Joined: Fri Jun 20, 2014 9:36 am

Re: Where's the Salt Stored?

Post by danallen » Fri Nov 21, 2014 11:24 pm

RaythXC wrote:The only time it'd work is if the salt was exactly the same on both accounts...
...If it does, get the salt for that account
Thank you for responding and explaining.
Where is the salt stored? Is t possible to retrieve it and see what it is? If so, how?

I suspected the user_form_salt is the salt used on passwords, so when copying a password hash from one use account to another, I also copied he user_form_salt. Sometimes, the result would be I could login to the account with what I knew was the password of the source account, but sometimes it does not work. There is something I am missing and I don't know what it is.

Starting to trace the code now. I was thinking someone would just know where the salt is and provide the answer. Not so easy I guess.

Thank you again.

User avatar
danallen
Registered User
Posts: 32
Joined: Fri Jun 20, 2014 9:36 am

Re: Where's the Salt Stored?

Post by danallen » Sat Nov 22, 2014 2:02 am

Currently, salt is stored in positions 4-11 in the user_password field of phpbb3_users. You can tell whether this applies, if the first 3 characters of hte hash are $H$.

To see it, find this code in /includes/functions.php.. I have inserted die() to display the value.

Code: Select all

function _hash_crypt_private($password, $setting, &$itoa64)
{
	$output = '*';

	// Check for correct hash
	if (substr($setting, 0, 3) != '$H$' && substr($setting, 0, 3) != '$P$')
	{
		return $output;
	}

	$count_log2 = strpos($itoa64, $setting[3]);

	if ($count_log2 < 7 || $count_log2 > 30)
	{
		return $output;
	}

	$count = 1 << $count_log2;
	$salt = substr($setting, 4, 8);
die($salt);

Looking this, copying a hash from one user record to another will make the passowrd on the receiving account have the same password as the sending account. It works sometimes, but not always. Still don't know why that is.

Looking at this code, where hash is checked, I'd have to say I must be doing something different than what I think or this would work..

User avatar
RaythXC
Registered User
Posts: 150
Joined: Wed Jun 13, 2012 1:23 pm

Re: Where's the Salt Stored?

Post by RaythXC » Sat Nov 22, 2014 2:46 pm

I'll have a look through the code and see if I can work it out, but before I post any results, why are you interested in where the salt is stored in the first place?

User avatar
danallen
Registered User
Posts: 32
Joined: Fri Jun 20, 2014 9:36 am

Re: Where's the Salt Stored?

Post by danallen » Tue Nov 25, 2014 1:58 am

RaythXC wrote:I'll have a look through the code and see if I can work it out, but before I post any results, why are you interested in where the salt is stored in the first place?
Thank you, Ray.

The reason I am into this part of the system is to integrate phpbb security with the overall website security. The forum is one of the key components of our site, but other areas are just as prominent. People using our site get confused when navigating across security boundaries. Best example is phpbb email notices of forum activity. The email comes with links into the forum, that require phpbb authentication. When people hit those links, if they do not have a current session, they are forced to enter a username and password that is different from the one they have for the site as a whole. My objective is to handle phpbb authentication in the background, so end users do not even know it is there. To do that, I have to control passwords and/or password checking. I need to know exactly how authentication happens, to avoid unexpected authentication fails. This is why I needed to understand exactly how salt is stored.

I had been experimenting with copying user_password values from one user, with a known password, to another, It was working sometimes and not others. I needed to find out why it worked sometimes and not others. T needed to find all the variables at play.

It turned out, copying user_password from one user to another always works, not sometimes. When it seemed to not work, it was due to errors in the copying of user_password. I discovered that, when I finally isolated how salt fits in, and where it is stored. Once I knew that salt is in the user_password field, and can be isolated information from somewhere else, I was able to find the problem with the copying (the problem was delimiting the passord field with ' was droping $ from the start of the user_password value). Prior to having salt isolated, I could not rule out the possibility of other variables being part of the process.

At this point, my plan is to amend the links in email notices with one-time keys that will be created when the notice is sent. So this
viewtopic.php?f=243&t=5650

will become this
viewtopic.php?f=243&t=5650&ourkey=uhsKJkYcgDKGr8BvTVjww9ZL

where ourkey is randomly generated, and then stored in our db.

So, when that link is used, we will authenticate using the variable ourkey, on the assumption no one but the person we sent it to can have the correct value for ourkey tied to the exact forum and topic we have on file for that value of ourkey. In this scenario, phpbb password authentication will be bypassed, by returning true in the function that checks passwords. That way, we can let the user in without the user having to deal with phpbb security, keep everyone else out, and control which forums the user can access using the username/group group permissions.

This solution is a step past the one I was on when needing to isolate salt. Salt is not playing a role here. I needed to understand salt to get here.

Sorry for such a long answer, I hope it makes sense now.

Believe me, I am looking for a better solution to integration of phpbb than this. This is just the best I have come up with so far. I know it is primitive.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66565
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Where's the Salt Stored?

Post by Lumpy Burgertushie » Tue Nov 25, 2014 4:59 am

here are some links to help you integrate phpbb's system with your own.

External_login
phpBB3 Cross-site Sessions Integration
phpBB3 Sessions Integration
Authentication plugins
Full Site Integration

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
danallen
Registered User
Posts: 32
Joined: Fri Jun 20, 2014 9:36 am

Re: Where's the Salt Stored?

Post by danallen » Tue Nov 25, 2014 4:29 pm

Lumpy Burgertushie wrote:here are some links to help you integrate phpbb's system with your own.

External_login
phpBB3 Cross-site Sessions Integration
phpBB3 Sessions Integration
Authentication plugins
Full Site Integration

robert
Robert, those are great links, thank you. I'll post back here how this material plays into the solution we will be using.

User avatar
RaythXC
Registered User
Posts: 150
Joined: Wed Jun 13, 2012 1:23 pm

Re: Where's the Salt Stored?

Post by RaythXC » Tue Nov 25, 2014 6:05 pm

If the salt is stored in the password field, then i would assume that when phpbb hashes a password (done when user registers/password changes via phpbb_hash function), then the string returned by the function is the hashed password with the salt placed on the front. What I also noticed is that the string return is a md5 hash of the salted password, so here's what I suspect happens when a user logs in:

User enters username and password
phpbb searches database for username and gathers information it needs (user id and salted password i suspect)
phpbb then hashes the entered password based on values it has on the specific account and returns it
phpbb will then compare the returned string to the string stored in the database
if they match, logs user in and does all the cookie stuff.

Locked

Return to “[3.0.x] Support Forum”