phpass behavior on hashing passwords between WordPress and phpBB

Discussion forum for Extension Writers regarding Extension Development.
Post Reply
User avatar
axe70
Registered User
Posts: 752
Joined: Sun Nov 17, 2002 10:55 am
Location: Italy
Name: Alessio
Contact:

phpass behavior on hashing passwords between WordPress and phpBB

Post by axe70 »

Hello all, hope to find out some solution in short, so i will try to post also here this question, in the hope someone can help on fly. This the problem:
Test Pass:
zVg%)4hK$wvDhEmr^?=)&

When pass is changed on phpBB or WP, it is auto updated (so hashes are resulting equals when user login on WP or phpBB)

changed/hashed on WP (updated, result same on both):

$2a$08$2aCqkcJYCM9lcUaZopqz2usSZoIb.Tw/Cj1e.1D8N7oWQzB4g7a1q
$2a$08$2aCqkcJYCM9lcUaZopqz2usSZoIb.Tw/Cj1e.1D8N7oWQzB4g7a1q

work if login on WP, fail phpBB


changed/hashed in phpBB (updated, result same on both with same test pass):

$2y$10$PCfuM2rQOTJNfJ01Ms0hfeSkGPnq9pVZ6/WIOvj/eUTGYpKha9i0O
$2y$10$PCfuM2rQOTJNfJ01Ms0hfeSkGPnq9pVZ6/WIOvj/eUTGYpKha9i0O

work if login phpBB, not work if login WP


hash in phpBB OR WP, a different pass like this (that not contain some chars type, and is correctly updated also in this case):


Test Pass:
zVg%)4hK$wvDhEmr

work on both. Anyone have an idea?
Do not take me too serious
Anyway i do not like Discourse
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10550
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: phpass behavior on hashing passwords between WordPress and phpBB

Post by Noxwizard »

phpBB no longer uses phpass, though we never supported the blowfish format of phpass. In phpBB 3.1, we moved to bcrypt and continue to use it: https://github.com/phpbb/phpbb/blob/3.2 ... bcrypt.php
While phpBB can support the $2a$ format of bcrypt, yours uses a cost factor of 8, while we require one of at least 10. That would cause the password hash to be recomputed and converted to the $2y$ format, which Wordpress would not be able to use.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
User avatar
axe70
Registered User
Posts: 752
Joined: Sun Nov 17, 2002 10:55 am
Location: Italy
Name: Alessio
Contact:

Re: phpass behavior on hashing passwords between WordPress and phpBB

Post by axe70 »

Looking to resolve ... Noxwizard thank You to point me right on the way!

p.s i have not still understand why with some chars fails :?: and with some other no
Do not take me too serious
Anyway i do not like Discourse
User avatar
axe70
Registered User
Posts: 752
Joined: Sun Nov 17, 2002 10:55 am
Location: Italy
Name: Alessio
Contact:

Re: phpass behavior on hashing passwords between WordPress and phpBB

Post by axe70 »

so, i'm just over to try a snippet code, that should check for correct phpBB hashed bcrypt passw.
The passw i test is the same as last day, so: zVg%)4hK$wvDhEmr^?=)&
I've try out a simply class, that is the phpBB brcypt.php little modified to get only the necessary to check the hash against a plain password.
I've try to look values passed to crypt() into phpBB hash(), that of course return his correct hashed passw in phpBB after

Code: Select all

$hash = crypt($password, $salt);
The same values, in the external snippet class i've do, but also on this, where from maybe bcrypt phpBB class come from (or maybe not): https://github.com/cosenary/Bcrypt-PHP-Class
are passed to crypt() into his analogue hash() call to re-hash passw and check against.

The resulting salt, as on phpBB for password zVg%)4hK$wvDhEmr^?=)& is:
$2y$10$fYJ2TnS2hlCG1XVGuCWXsu

but my snippet class code, and also the linked class class above, after crypt()

Code: Select all

$hash = crypt($password, $salt);
into public function hash($password, $salt = '')
where same values are passed at this point, as on phpBB, plain pass and salt, return a different result:

on my snippet code and the linked class both return:
hash = $2y$10$fYJ2TnS2hlCG1XVGuCWXsunA9bIS9Feok1A1k8hhNF5VAM3FBNblO

On phpBB after crypt($password, $salt) return:
hash = $2y$10$fYJ2TnS2hlCG1XVGuCWXsuIMWDG6iN3ky.UnINT5H6ibXMpRkQfeu

any hint?
Do not take me too serious
Anyway i do not like Discourse
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: phpass behavior on hashing passwords between WordPress and phpBB

Post by canonknipser »

Maybe it is the html-special-char "&" in the password which maybe sanitized in phpBB-Calls and therefor leads to different results in pbpBB and WP?

Maybe?
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
axe70
Registered User
Posts: 752
Joined: Sun Nov 17, 2002 10:55 am
Location: Italy
Name: Alessio
Contact:

Re: phpass behavior on hashing passwords between WordPress and phpBB

Post by axe70 »

This is it! I've think it was done at one point with utf8_encode, instead i had think it maybe, but looking in now ... it was not done. Awesome! Big thank to you ;)
Do not take me too serious
Anyway i do not like Discourse
silenus
Registered User
Posts: 11
Joined: Tue Aug 15, 2017 4:56 am

Re: phpass behavior on hashing passwords between WordPress and phpBB

Post by silenus »

canonknipser wrote: Tue Feb 21, 2017 7:45 pm Maybe it is the html-special-char "&" in the password which maybe sanitized in phpBB-Calls and therefor leads to different results in pbpBB and WP?

Maybe?
Hi,

I have the same needs as axe70, and reach this topic.

Effectively, a password containing a '&' character disrupt.

After phpBB code analysing, the solution to verify a user password is :

Code: Select all

if (hash_equals($hashpassword, crypt( htmlspecialchars($user_password, ENT_COMPAT, 'UTF-8'),$hashpassword]))
$hashpassword is password stored into phpbb3_users table.
$user_password the password you want to verify.

Best regards.
Post Reply

Return to “Extension Writers Discussion”