How to use phpBB 3.1.x password hashing?

Discussion forum for Extension Writers regarding Extension Development.
Post Reply
hamdiya.dev
Registered User
Posts: 4
Joined: Wed Jan 14, 2015 3:39 pm

How to use phpBB 3.1.x password hashing?

Post by hamdiya.dev » Wed Jan 14, 2015 3:44 pm

Hi there,

How would you go about using phpBB 3.1.x password hashing algorithm from an external script?

I have scoured the web/phpbb forums but to no avail. They all refer to the old method of using phpbb_hash() function, which is now deprecated.

Basically, what code is needed to successfully hash a user supplied password using phpBB's 3.1.x's algorithm?

Thank you!

hamdiya.dev
Registered User
Posts: 4
Joined: Wed Jan 14, 2015 3:39 pm

Re: How to use phpBB 3.1.x password hashing?

Post by hamdiya.dev » Wed Jan 14, 2015 5:27 pm

Right so i've come this far:

Code: Select all

define('IN_PHPBB', true);

$phpbb_root_path = '../public/forum/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);
include($phpbb_root_path . 'includes/functions_user.' . $phpEx);
include($phpbb_root_path . 'phpbb/passwords/manager.' . $phpEx);
	    
$passwords_manager = $phpbb_container->get('passwords.manager');
$hash = $passwords_manager->hash('secret_password');
However, now i get an error (due to the last line of code):

Code: Select all

Fatal: Not able to open cache/data_global.
I assume the problem is because data_global. per se doesn't exist as the php extension is missing. But i'm not sure why it is missing?

I'm trying to use the hash function from within the laravel route.php file

Windows 7 + WAMP Server

User avatar
austin881
Registered User
Posts: 283
Joined: Wed Jan 30, 2008 9:58 pm
Location: Boise, Idaho, USA
Name: Austin Maddox
Contact:

Re: How to use phpBB 3.1.x password hashing?

Post by austin881 » Fri Feb 19, 2016 7:53 am

I know it has been over a year but any chance you ever figured this out?

I'm also trying to authenticate users from my Laravel app against the phpBB database. Need to know how phpBB hashes passwords in 3.1.7 so I can validate users.
Available for paid phpBB help! PM me.

My Extensions/MODS: 475 Narius Categorized Smilies for phpBB3, Simplified & Compacted All-Members page, Flash Animated Cumulus Tag Cloud, "Hello" Name Tag of Newest User, AWS S3
phpBB portfolio: chevy truck forum, chevy astro van forum

User avatar
MarkDHamill
Registered User
Posts: 3805
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: How to use phpBB 3.1.x password hashing?

Post by MarkDHamill » Sun Feb 21, 2016 3:15 am

/includes/ucp/ucp_register.php shows this code starting at line 336:

Code: Select all

				// Instantiate passwords manager
				$passwords_manager = $phpbb_container->get('passwords.manager');

				$user_row = array(
					'username'				=> $data['username'],
					'user_password'			=> $passwords_manager->hash($data['new_password']),
					'user_email'			=> $data['email'],
					'group_id'				=> (int) $group_id,
					'user_timezone'			=> $data['tz'],
					'user_lang'				=> $data['lang'],
					'user_type'				=> $user_type,
					'user_actkey'			=> $user_actkey,
					'user_ip'				=> $user->ip,
					'user_regdate'			=> time(),
					'user_inactive_reason'	=> $user_inactive_reason,
					'user_inactive_time'	=> $user_inactive_time,
				);
The password manager hash function can be found in /phpbb/passwords/manager.php. You will notice a driver folder in this directory. There are a number of encryption algorithms. It's unclear to me which one is the default encryption algorithm, but is some sense it doesn't matter. The key is to use this line of code:

Code: Select all

$passwords_manager->hash($data['new_password']),
To validate a password you need the validate_password function at line 1794 in /includes/functions_user.php. So you will need to include this file in your program.
Get the latest versions of my Digests and Smartfeed extensions.
Need phpBB services or a phpBB consultant? I offer most phpBB services.

User avatar
gn#36
Translator
Posts: 185
Joined: Fri Oct 13, 2006 1:16 pm
Contact:

Re: How to use phpBB 3.1.x password hashing?

Post by gn#36 » Mon Feb 22, 2016 12:15 pm

Validation can also be done with the manager: $passwords_manager->check($pw, $hash). Default on 3.0 is salted_md5 and at least on my local installation of 3.1 bcrypt (with 2y). You can see the algorithm of each password by looking at the prefix in the users table. $H$ is salted_md5, $2y$ is bcrypt. If there is no prefix, the password is stored as simple md5. Legacy algorithms get converted on login.
German Support Team Member • http://www.phpbb.deMy Extensions in the CDBMy Extensions on Github • Contact with caos is inavoidable but no catastrophy if you keep an overview.

Post Reply

Return to “Extension Writers Discussion”