Hello,
So I'm trying to get the login page to allow md5 password logins, I'm integrating a database of over 3,000 users and we're still using md5 hashing (yes I know, not the most secure thing), but I'm hoping with UserSpice I can shortly do things such as integrate bcrypt etc...
At the moment I have to stick to MD5 hashing, I'm unable to get it to allow me to login with MD5, no matter what modifications I make, please could you point me the correct codes to change to get md5 passwords to work in the login form, I've gotten them to function on other pages such as registration etc..
I would definitely not modify the userpice "core" code (i.e. the stuff in the users folder). There are better ways to do this.
There are a few ways to attempt it...
1. (Easiest) use the regular login form and put up a message telling people that if their password doesn't work, they should use the "forgot password" link and it will give them a bcrypt password.
2. Write a custom version of login.php (putting it in the usersc folder) that checks their md5 password and then immediately changes their password over to bcrypt.
3. We could work on some sort of "force password reset" feature also.
Let me know what you're thinking and I'll help you figure it out. Either way, you don't want to leave them as md5.
Thanks for the reply, it's to do with a multiplayer game we have, issue being we currently can't convert the hashing on the server, we need something like UserSpice so people can securely change their weak MD5 passwords into something more secure.
So is the goal to not have any md5 at the end of it or do you need to be able to have md5 and bcrypt at the same time?
In need of MD5 right now, we'll be moving to bcrypt ASAP but this is like literally something I urgently need.
I've figured out how to get Userspice to register with md5, just can't figure out how to get it to login with it, would really appreciate your help.
I know that you probably don't want to see someone use md5 and I know it's awful hashing, but this is something I urgently need, our server and client is md5 at the moment and we're working on converting over soon but right now we just need to be able to have MD5 on the site.
Can you send me a copy of the files you've changed on pastebin so I can make sure we're working from the same data set?
Hi, thanks for replying so fast again.
All I did was change the hash from password_encrypt to md5 and remove a variable from the end for register and that's all,
I don't have a clue what to change to get it to allow me to sign in with md5 passwords, so I've left it as it is. Just need to know which file to change and what code and what to, much appreciated.
Jesus, thank you so much, you're a life-saver. And yes I do, hence we're working to get our server and client hash changed, we just are a bit stuck and overworked right now.
Thanks a lot I really appreciate it.
Absolutely. And no problem. Just FYI, when you do decide to migrate, the best thing to do is notice that bcrypt passwords begin with $2y$ so you can have something check to see if their password in the db begins with that and if not, it will just convert it.
I obviously didn't test everything in that patch, but I was able to create, login, logout, and change passwords so it should be pretty close to what you need.
