SALT Value for creating Passwords

Need some custom code changes to the phpBB core simple enough that you feel doesn't require an extension? Then post your request here so that community members can provide some assistance.

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
effixx
Registered User
Posts: 7
Joined: Sat Feb 10, 2024 5:02 pm

SALT Value for creating Passwords

Post by effixx »

Hello,
I am currently facing the problem of transferring users from a very old forum to phpBB3.3.9. After a few analyses I have pretty much managed to do this. But now I'm still facing the problem of re-encrypting the passwords that were stored in plain text in the old system. Where can I read out the required SALT value?

Franz
effixx
Registered User
Posts: 7
Joined: Sat Feb 10, 2024 5:02 pm

Re: SALT Value for creating Passwords

Post by effixx »

Well I found the phpbb_users.user_form_salt field while searching for a solution.
Can anyone tell me if this value is used as SALT for login ?
This leads to the next question how is this value generated randomly ?
User avatar
AmigoJack
Registered User
Posts: 6127
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン

Re: SALT Value for creating Passwords

Post by AmigoJack »

effixx wrote: Sat Feb 17, 2024 11:51 amre-encrypting the passwords that were stored in plain text
Neither is that "re"encryption, nor does phpBB encrypt password - it stores a hash of it, that's also where salt starts to make sense.
effixx wrote: Sat Feb 17, 2024 11:51 amWhere can I read out the required SALT value?
It differs per used algorithm (driver) and per user (as in: it's not set globally, as that would be pepper, not salt), otherwise 2 same passwords would end in the same hash, making it easy to break it once and then use it for other accounts, too.

Since phpBB comes in files, simply use a better text editor and search all those files for text of your interest, like salt. The results are all the file's lines which match your search. Then just check each to see if the context is nearest to your interest. In this case I'd look at the database tables - since a user password is most likely stored in such a table, I'd look at the column names and then have candidates to search for, since the PHP code must at one point make use of those column names - I'd search for user_password.

Long story short: you don't need to know. Instead you may have found /phpBB/includes/acp/acp_users.php since the ACP's user module is able to set a user's password right away. Finding line 990 shows us how to just generate the hash out of a password. Since we can code we know the variable must first be declared somewhere, which is on line 896. In sum we have:

Code: Select all

$passwords_manager = $phpbb_container->get('passwords.manager');  // Line 896: instantiate generator with a default algorithm
$new_hash = $passwords_manager->hash('new_password');             // Line 990: calculate hash of input text to be stored
How to store then the content of $new_hash in the database's proper dataset shouldn't be a challenge to you.
effixx wrote: Mon Feb 19, 2024 12:02 pmif this value is used as SALT for login ?
Yes: it is neither used for password hashes, nor for the login in particular, but instead (as the name suggests) for HTML forms (including the one you submit with your credentials). Its purpose is to secure phpBB against cross-site request forgery insofar that forms upon rendering always carry a unique ID that must match the stored one, when processing that submitted form. This also prevents harm when submitting the same form twice (like for deleting something).

The user password is not only used for logging in to the board - it is also used for changing the account email address, the account password itself and accessing the ACP.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
effixx
Registered User
Posts: 7
Joined: Sat Feb 10, 2024 5:02 pm

Re: SALT Value for creating Passwords

Post by effixx »

Hello AmigoJack,
as I said, I am fairly new to this business. So it may be that I ask the totally flat questions. It's not about cracking the passwords but I wanted to make the passwords available to the users again.
In the version phpBB1.0.x on MS database the passwords are still in plain text. But if that doesn't work then you just have to request a new password.
User avatar
AmigoJack
Registered User
Posts: 6127
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン

Re: SALT Value for creating Passwords

Post by AmigoJack »

effixx wrote: Tue Feb 20, 2024 1:08 pmnew to this business
For me this is too vague: does "this" mean phpBB? PHP? Passwords? Hashes? Programming in general? Databases? Conversions? So I have to draw the line somewhere and guess you'll reply when you're stuck with specific problems. I should even have the phpBB1 somewhere, so unless you quote relevant code I could even analyze those. But it should be possible to upgrade from v1 to v2 and then from v2 to v3.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
effixx
Registered User
Posts: 7
Joined: Sat Feb 10, 2024 5:02 pm

Re: SALT Value for creating Passwords

Post by effixx »

Ok, I can understand that, here is my IT CV. I'm 65 years old and have allowed myself to be "beaten wide open" to revitalise an old forum. I studied computer science, but at a time when the Internet and mobile phones were the highest level of thought for Spaceship Enterprice. I've been through a lot in programming. ( C, Pascal, 360Assambler, Iseries RPG , Cobol, Delphi, C++ , C# , Java ) and PHP is not much different, so no problem.
I very quickly realised that the old system was quite "programmed". That's why my approach was to use only the data and rebuild it accordingly.
I use a Java ETL tool ( Talend Open Studio ) and a lot is already implemented and converted.
But of course there is still a lot to do regarding ACL and so on.

Return to “phpBB Custom Coding”