Password encryption changed from RC1 to RC7?

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Password encryption changed from RC1 to RC7?

Post by Timmer »

I have written several Perl scripts that work with my PHPBB3 user database. (These scripts are for my own custom functions like calendar and restaurant reviews.) To authenticate, the scripts prompt for the user's forum username and password.

This worked fine until I upgraded from RC1 to RC7. Something has changed and now my Perl scripts no longer function.

The Perl code for converting password input to MD5 encryption looks like this:

Code: Select all

my $md5 = Digest::MD5->new;
$md5->add($data{password});
$password = $md5->hexdigest;
I noticed that the password stored in the "user_password" field looks different now.

Here are before and after values for the SAME encrypted password:

Old (RC1): 7fac4455e59a7ac01e13366e201134f5
New (RC7): $H$7mcRc/ahQU28ZECkgvH9JmUmbBlmWg1

My question: How can I use Perl to convert a password to the new encryption format?

Thanks!
User avatar
zeroK
Former Team Member
Posts: 20964
Joined: Sun Jan 20, 2002 7:36 pm
Location: Klagenfurt / Austria
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by zeroK »

The whole password generation/checking has been changed with RC6/7. You can see the implementation details in the includes/functions.php's phpbb_check_hash function (or to be more precise in the _hash_crypt_private function). The code should be pretty straight forward to port to Perl IMO :-)
Image My weblog | gamerslog.com | No support via PM or ICQ or email - If you don't know a term or a program mentioned in a post -> Google is your friend
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Timmer »

I've tried to port this on my own but I'm having trouble. Can anyone help?
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Timmer »

Clarification: I just need the Perl code that will take a password (as input by the user), convert it as necessary, and check it against the password stored in the user_password field in the phpbb_users table.

This is basically a check to authenticate the user (by username and password) to use a stand-alone Perl script I wrote that shares the PBPBB3 account information (so no separate registration is required).

The stand-alone script does not create accounts, so I don't need it to do any of the other password stuff. Also, this has nothing to do with trying to decrypt and/or read passwords stored in the database.

Thanks!
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Timmer »

Is there any chance at all some kind soul can help me with this? If not, I'm going to have to sever the tie from my applications with the PHPBB3 database. This will mean my users will have to maintain two DIFFERENT accounts to use all of the features of my web site.

Thanks!
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Timmer »

Last edited by darcie on Wed Nov 28, 2007 3:27 am, edited 1 time in total.
Reason: recruiting removed
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Re: Password encryption changed from RC1 to RC7?

Post by EXreaction »

I don't know anything about Perl, so I can't help you there, but this is the hashing system which is now used by phpBB3:
http://www.openwall.com/phpass/

Maybe you can find some information on their site...
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Timmer »

EXreaction wrote:Maybe you can find some information on their site...
Thanks. I truly appreciate the reply. I've been to that site and found it to be over my head. Also, I tried installing a Perl module from that site but my web server chokes on the install. :(
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Re: Password encryption changed from RC1 to RC7?

Post by EXreaction »

Is it possible to have the PHP script separate, then call the file/function from a PERL script and get a result?

I would think it would be pretty easy to call a PHP script and send it the password/encrypted password via a GET or POST variable, then check the result.

It might not be the nicest thing to do, but it would work. :)
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Timmer »

That is a clever idea. Seems a little kludgy but I'll consider it if absolutely necessary.

Am I really the only one in this boat? No one else out there has Perl scripts that share the username and password fields from the PHPBB3 users table?

This situation is really hurting my site. I'm getting lots of emails from members asking why their passwords on the event calendar and restaurant guide no longer work.
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Re: Password encryption changed from RC1 to RC7?

Post by EXreaction »

You could also change the hashes back to MD5 (though, it isn't nearly as secure, but it is another possibility). :)

I don't think it would require too many edits, but you'd need to find a way to reset all the passwords on the forum.
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Timmer »

Again I thank you for the reply. I appreciate your creative outside-the-box thinking. :)

I'm still hoping some kind soul will magically show up and care enough to help me solve this small problem. Meanwhile the complaints from my users continue to roll in. :(
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Timmer »

It seems no one has the answer to this problem. (Needing the few short lines of Perl code to allow me to share the PHPBB password with my stand alone Perl applications so my members won't have to maintain two different accounts.)

So I was thinking perhaps we could approach the problem in a slightly different way. I don't understand what the new "hashing" and stuff in RC6 or RC7 is doing. Perhaps if what was going on could be explained I might be able to work out the Perl code by myself.

ANY help with this ongoing problem for me would be deeply appreciated. :)
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29334
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Marshalrusty »

I'm not sure what it is that you want us to do. If you're looking for someone to port the new password hashing mechanism to Perl, then you're in the wrong place.

The new password hashing mechanism is not simple. It took me over an hour of digging through files to figure out how it worked and what it does. Thanks to the usage of functions, it's not particularly difficult to use the system in an external script (using php). It's not easy, however, to completely rewrite the entire system in another language.

In essence, I'm not sure how we can help you. If you have any specific questions about the way the new hashing process works, I'll be happy to answer them. Otherwise, you might want to try a board that's dedicated to Perl.
🇺🇦 Made in Ukraine, exported to the USA 🇺🇸

Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
User avatar
Timmer
Registered User
Posts: 113
Joined: Fri Sep 24, 2004 4:21 pm
Location: Portland, OR
Contact:

Re: Password encryption changed from RC1 to RC7?

Post by Timmer »

Like I said, I wondered if I'm the only one out there impacted by this problem. The first person who replied told me it would be "pretty straight forward to port to Perl." Now you are saying it is not.

If I am the only one, then I guess that's it. It's my problem and no one is willing to try to help.

It has been weeks that functions on my web site have been disabled because of this. Without a solution I'll be forced to implement and maintain TWO accounts per web site user, and that's just silly. Worse, it will be a support nightmare, judging by the number of people that already have problems keeping just one username and password straight. They'll really eat up my time once they have to worry about two sets of logins.

:(

Thanks for the reply.
Locked

Return to “[3.0.x] Support Forum”