How to use phpBB 3.1.x password hashing?

Discussion forum for Extension Writers regarding Extension Development.
hamdiya.dev
Registered User
Posts: 4
Joined: Wed Jan 14, 2015 3:39 pm

How to use phpBB 3.1.x password hashing?

Post by hamdiya.dev »

Hi there,

How would you go about using phpBB 3.1.x password hashing algorithm from an external script?

I have scoured the web/phpbb forums but to no avail. They all refer to the old method of using phpbb_hash() function, which is now deprecated.

Basically, what code is needed to successfully hash a user supplied password using phpBB's 3.1.x's algorithm?

Thank you!
hamdiya.dev
Registered User
Posts: 4
Joined: Wed Jan 14, 2015 3:39 pm

Re: How to use phpBB 3.1.x password hashing?

Post by hamdiya.dev »

Right so i've come this far:

Code: Select all

define('IN_PHPBB', true);

$phpbb_root_path = '../public/forum/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);
include($phpbb_root_path . 'includes/functions_user.' . $phpEx);
include($phpbb_root_path . 'phpbb/passwords/manager.' . $phpEx);
	    
$passwords_manager = $phpbb_container->get('passwords.manager');
$hash = $passwords_manager->hash('secret_password');
However, now i get an error (due to the last line of code):

Code: Select all

Fatal: Not able to open cache/data_global.
I assume the problem is because data_global. per se doesn't exist as the php extension is missing. But i'm not sure why it is missing?

I'm trying to use the hash function from within the laravel route.php file

Windows 7 + WAMP Server
User avatar
austin881
Registered User
Posts: 287
Joined: Wed Jan 30, 2008 9:58 pm
Location: Texas, USA
Name: Austin Maddox

Re: How to use phpBB 3.1.x password hashing?

Post by austin881 »

I know it has been over a year but any chance you ever figured this out?

I'm also trying to authenticate users from my Laravel app against the phpBB database. Need to know how phpBB hashes passwords in 3.1.7 so I can validate users.
Available for paid phpBB help! PM me.

My Extensions/MODS: 475 Narius Categorized Smilies for phpBB3, Simplified & Compacted All-Members page, Flash Animated Cumulus Tag Cloud, "Hello" Name Tag of Newest User, AWS S3
phpBB portfolio: chevy truck forum, chevy astro van forum
User avatar
MarkDHamill
Registered User
Posts: 4933
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA

Re: How to use phpBB 3.1.x password hashing?

Post by MarkDHamill »

/includes/ucp/ucp_register.php shows this code starting at line 336:

Code: Select all

				// Instantiate passwords manager
				$passwords_manager = $phpbb_container->get('passwords.manager');

				$user_row = array(
					'username'				=> $data['username'],
					'user_password'			=> $passwords_manager->hash($data['new_password']),
					'user_email'			=> $data['email'],
					'group_id'				=> (int) $group_id,
					'user_timezone'			=> $data['tz'],
					'user_lang'				=> $data['lang'],
					'user_type'				=> $user_type,
					'user_actkey'			=> $user_actkey,
					'user_ip'				=> $user->ip,
					'user_regdate'			=> time(),
					'user_inactive_reason'	=> $user_inactive_reason,
					'user_inactive_time'	=> $user_inactive_time,
				);
The password manager hash function can be found in /phpbb/passwords/manager.php. You will notice a driver folder in this directory. There are a number of encryption algorithms. It's unclear to me which one is the default encryption algorithm, but is some sense it doesn't matter. The key is to use this line of code:

Code: Select all

$passwords_manager->hash($data['new_password']),
To validate a password you need the validate_password function at line 1794 in /includes/functions_user.php. So you will need to include this file in your program.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Covers through phpBB 3.3.7. eBook and paper versions available.
User avatar
gn#36
Translator
Posts: 210
Joined: Fri Oct 13, 2006 1:16 pm

Re: How to use phpBB 3.1.x password hashing?

Post by gn#36 »

Validation can also be done with the manager: $passwords_manager->check($pw, $hash). Default on 3.0 is salted_md5 and at least on my local installation of 3.1 bcrypt (with 2y). You can see the algorithm of each password by looking at the prefix in the users table. $H$ is salted_md5, $2y$ is bcrypt. If there is no prefix, the password is stored as simple md5. Legacy algorithms get converted on login.
German Support Team Member • http://www.phpbb.deMy Extensions in the CDBMy Extensions on Github • Contact with caos is inavoidable but no catastrophy if you keep an overview.

Return to “Extension Writers Discussion”