How is the password encoded? ... sha1?

Discussion forum for MOD Writers regarding MOD Development.
Locked
oOoCheshireCatoOo
Registered User
Posts: 57
Joined: Sun Jul 13, 2008 1:21 pm

How is the password encoded? ... sha1?

Post by oOoCheshireCatoOo »

Hi

Using phpbb3. How are the passwords protected - is it via sha1?

I want to have a check for another part of my website, so I will require forum users to enter their password and username. So I need to compare this info to that in the database, so I need to know how the password is protected so I can compare

rough idea:

Code: Select all

if(sha1($password) == $row['password']) {
// cool, they are the user we think they are
}
Thanks
User avatar
James78
Registered User
Posts: 811
Joined: Sat Jul 30, 2005 4:54 pm
Location: Washington, USA
Contact:

Re: How is the password encoded? ... sha1?

Post by James78 »

You can find the functions phpBB uses to hash the passwords in functions.php near the top.

Code: Select all

/**
*
* @version Version 0.1 / slightly modified for phpBB 3.0.x (using $H$ as hash type identifier)
*
* Portable PHP password hashing framework.
*
* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
* the public domain.
*
* There's absolutely no warranty.
*
* The homepage URL for this framework is:
*
*    http://www.openwall.com/phpass/
*
* Please be sure to update the Version line if you edit this file in any way.
* It is suggested that you leave the main version number intact, but indicate
* your project name (after the slash) and add your own revision information.
*
* Please do not change the "private" password hashing method implemented in
* here, thereby making your hashes incompatible.  However, if you must, please
* change the hash type identifier (the "$P$") to something different.
*
* Obviously, since this code is in the public domain, the above are not
* requirements (there can be none), but merely suggestions.
*
*
* Hash the password
*/
function phpbb_hash($password)
{
    $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

    $random_state = unique_id();
    $random = '';
    $count = 6;

    if (($fh = @fopen('/dev/urandom', 'rb')))
    {
        $random = fread($fh, $count);
        fclose($fh);
    }

    if (strlen($random) < $count)
    {
        $random = '';

        for ($i = 0; $i < $count; $i += 16)
        {
            $random_state = md5(unique_id() . $random_state);
            $random .= pack('H*', md5($random_state));
        }
        $random = substr($random, 0, $count);
    }

    $hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

    if (strlen($hash) == 34)
    {
        return $hash;
    }

    return md5($password);
}

/**
* Check for correct password
*/
function phpbb_check_hash($password, $hash)
{
    $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
    if (strlen($hash) == 34)
    {
        return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
    }

    return (md5($password) === $hash) ? true : false;
}

/**
* Generate salt for hash generation
*/
function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
{
    if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
    {
        $iteration_count_log2 = 8;
    }

    $output = '$H$';
    $output .= $itoa64[min($iteration_count_log2 + ((PHP_VERSION >= 5) ? 5 : 3), 30)];
    $output .= _hash_encode64($input, 6, $itoa64);

    return $output;
}

/**
* Encode hash
*/
function _hash_encode64($input, $count, &$itoa64)
{
    $output = '';
    $i = 0;

    do
    {
        $value = ord($input[$i++]);
        $output .= $itoa64[$value & 0x3f];

        if ($i < $count)
        {
            $value |= ord($input[$i]) << 8;
        }

        $output .= $itoa64[($value >> 6) & 0x3f];

        if ($i++ >= $count)
        {
            break;
        }

        if ($i < $count)
        {
            $value |= ord($input[$i]) << 16;
        }

        $output .= $itoa64[($value >> 12) & 0x3f];

        if ($i++ >= $count)
        {
            break;
        }

        $output .= $itoa64[($value >> 18) & 0x3f];
    }
    while ($i < $count);

    return $output;
}

/**
* The crypt function/replacement
*/
function _hash_crypt_private($password, $setting, &$itoa64)
{
    $output = '*';

    // Check for correct hash
    if (substr($setting, 0, 3) != '$H$')
    {
        return $output;
    }

    $count_log2 = strpos($itoa64, $setting[3]);

    if ($count_log2 < 7 || $count_log2 > 30)
    {
        return $output;
    }

    $count = 1 << $count_log2;
    $salt = substr($setting, 4, 8);

    if (strlen($salt) != 8)
    {
        return $output;
    }

    /**
    * We're kind of forced to use MD5 here since it's the only
    * cryptographic primitive available in all versions of PHP
    * currently in use.  To implement our own low-level crypto
    * in PHP would result in much worse performance and
    * consequently in lower iteration counts and hashes that are
    * quicker to crack (by non-PHP code).
    */
    if (PHP_VERSION >= 5)
    {
        $hash = md5($salt . $password, true);
        do
        {
            $hash = md5($hash . $password, true);
        }
        while (--$count);
    }
    else
    {
        $hash = pack('H*', md5($salt . $password));
        do
        {
            $hash = pack('H*', md5($hash . $password));
        }
        while (--$count);
    }

    $output = substr($setting, 0, 12);
    $output .= _hash_encode64($hash, 16, $itoa64);

    return $output;
} 
Last edited by James78 on Fri Sep 19, 2008 6:25 pm, edited 1 time in total.
If you encounter what is/or you think is a bug, please report it to the phpBB Bug Tracker
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Seattle, WA
Name: David Lewis
Contact:

Re: How is the password encoded? ... sha1?

Post by Highway of Life »

It’s not using MD5, it’s using a special salted hash, but it can “read” MD5 hashes.

To check a password, you would use: Basic Example

Code: Select all

$password = request_var('password', '', true);

if (phpbb_check_hash($password, $row['user_password']))
{
    // we can let the user in...
}
else
{
    // the password is incorrect
} 
The phpBB Weekly Podcast - Discussing the developments of phpBB4 and beyond.

New to phpBB3? Want to learn about programing?
Visit phpBB Academy at StarTrekGuide to learn how.
larkitetto
Registered User
Posts: 2
Joined: Fri Sep 19, 2008 11:04 pm

Re: How is the password encoded? ... sha1?

Post by larkitetto »

hello

I have the same problem and I have found that code to manage password and hash.
During my test Ive seen the hash stored into my db is one string, the hash function returns another different string.

I'd like to use one user table for whole my project but at this time my test has been failed (always returned password incorrect).

What can I do?

Thanks
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: How is the password encoded? ... sha1?

Post by Phil »

Are you utilizing the phpbb_check_hash function?
Moving on, with the wind. | My Corner of the Web
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Seattle, WA
Name: David Lewis
Contact:

Re: How is the password encoded? ... sha1?

Post by Highway of Life »

iWisdom wrote:Are you utilizing the phpbb_check_hash function?
He should be using phpbb_hash to store the password.

phpbb_check_hash to compare the password with the hashed password.
The phpBB Weekly Podcast - Discussing the developments of phpBB4 and beyond.

New to phpBB3? Want to learn about programing?
Visit phpBB Academy at StarTrekGuide to learn how.
larkitetto
Registered User
Posts: 2
Joined: Fri Sep 19, 2008 11:04 pm

Re: How is the password encoded? ... sha1?

Post by larkitetto »

Im using the phpbb functions to store the password; Ive never touched that.
So I think phpbb uses phpbb_hash function to store the password.

In more, I have 2 form to let the user logins in. the first is phpbb form login (and it works), the second is "mine", in another web page. the input is ok (user and password), but the check is not so easy for me.

Thanks
Locked

Return to “[3.0.x] MOD Writers Discussion”