The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/printthread.php 16 require_once
Warning [2] Undefined property: MyLanguage::$archive_pages - Line: 2 - File: printthread.php(287) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/printthread.php(287) : eval()'d code 2 errorHandler->error
/printthread.php 287 eval
/printthread.php 117 printthread_multipage



UserSpice
MD5 password Login - Printable Version

+- UserSpice (https://userspice.com/forums)
+-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23)
+--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26)
+--- Thread: MD5 password Login (/showthread.php?tid=530)

Pages: 1 2 3


MD5 password Login - Jamie - 04-17-2017

Hello,

So I'm trying to get the login page to allow md5 password logins, I'm integrating a database of over 3,000 users and we're still using md5 hashing (yes I know, not the most secure thing), but I'm hoping with UserSpice I can shortly do things such as integrate bcrypt etc...

At the moment I have to stick to MD5 hashing, I'm unable to get it to allow me to login with MD5, no matter what modifications I make, please could you point me the correct codes to change to get md5 passwords to work in the login form, I've gotten them to function on other pages such as registration etc..


MD5 password Login - mudmin - 04-17-2017

I would definitely not modify the userpice "core" code (i.e. the stuff in the users folder). There are better ways to do this.

There are a few ways to attempt it...

1. (Easiest) use the regular login form and put up a message telling people that if their password doesn't work, they should use the "forgot password" link and it will give them a bcrypt password.

2. Write a custom version of login.php (putting it in the usersc folder) that checks their md5 password and then immediately changes their password over to bcrypt.

3. We could work on some sort of "force password reset" feature also.

Let me know what you're thinking and I'll help you figure it out. Either way, you don't want to leave them as md5.


MD5 password Login - Jamie - 04-17-2017

Thanks for the reply, it's to do with a multiplayer game we have, issue being we currently can't convert the hashing on the server, we need something like UserSpice so people can securely change their weak MD5 passwords into something more secure.


MD5 password Login - mudmin - 04-17-2017

So is the goal to not have any md5 at the end of it or do you need to be able to have md5 and bcrypt at the same time?


MD5 password Login - Jamie - 04-17-2017

In need of MD5 right now, we'll be moving to bcrypt ASAP but this is like literally something I urgently need.
I've figured out how to get Userspice to register with md5, just can't figure out how to get it to login with it, would really appreciate your help.

I know that you probably don't want to see someone use md5 and I know it's awful hashing, but this is something I urgently need, our server and client is md5 at the moment and we're working on converting over soon but right now we just need to be able to have MD5 on the site.



MD5 password Login - mudmin - 04-17-2017

Can you send me a copy of the files you've changed on pastebin so I can make sure we're working from the same data set?


MD5 password Login - Jamie - 04-17-2017

Hi, thanks for replying so fast again.
All I did was change the hash from password_encrypt to md5 and remove a variable from the end for register and that's all,
I don't have a clue what to change to get it to allow me to sign in with md5 passwords, so I've left it as it is. Just need to know which file to change and what code and what to, much appreciated.


MD5 password Login - mudmin - 04-17-2017

Ok. I can't believe I'm doing this. haha.

The following files need to be patched (and therefore you need to be careful about updating these particular files).
admin_users.php
User class
fb-callback.php
forgot_password_reset
join.php
user_settings.php


You will have to go into the userspice database and manually change the two default accounts passwords to "password" which has an md5 hash of
5f4dcc3b5aa765d61d8327deb882cf99

From there, you can change the passwords via normal means.

You sound like you understand the risks of doing this, so I'll just say use this at your own risk Smile

Here's your patch.
https://userspice.com/patch/md5.zip



MD5 password Login - Jamie - 04-17-2017

Jesus, thank you so much, you're a life-saver. And yes I do, hence we're working to get our server and client hash changed, we just are a bit stuck and overworked right now.

Thanks a lot I really appreciate it.


MD5 password Login - mudmin - 04-17-2017

Absolutely. And no problem. Just FYI, when you do decide to migrate, the best thing to do is notice that bcrypt passwords begin with $2y$ so you can have something check to see if their password in the db begins with that and if not, it will just convert it.

I obviously didn't test everything in that patch, but I was able to create, login, logout, and change passwords so it should be pretty close to what you need.