tags:

views:

1333

answers:

4
Q: 

How can I generate a vBulletin password salt from a md5 hash?

I'm transferring users from my old database to a vBulletin database.

I want a script to do this as it'll take forever otherwise.

I have all the user's passwords stored just like md5(password)

But of course, this doesn't work with vBulletin due to salts etc.

So my code is this:

<?Php
mydatabase_connect();
$select=mysql_query("SELECT * from `users`");
while($user=mysql_fetch_array($select)) {

    forum_connect();
    $check=mysql_query("SELECT * from `user` where `username` = '{$user[username]}'");
    if(mysql_num_rows($check)>="1") {
        echo "fail";
        }else{
        $insert=mysql_query("INSERT into `user` SET `username` = '{$user[username]}', `password` = '{$user[password]}', `email` = '{$user[email]}'");
        if($insert) {
            echo 'success';
            }else{
            echo 'fail';
        }
    }
    mydatabase_connect();
}
?>

How would I change it to work with vBulletin - so I can set a vBulletin user.password field and vBulletin user.salt correctly. Baring in mind that my $user[password] or users.password is stored as an md5 hash of their real, text password.

Thanks!

+1  A: 

If your old system used unsalted hashes, and vBulletin uses salted ones, then if you want users to keep their passwords you will have to modify vBulletin to use unsalted ones too. I'm not familiar with the vBulletin code, but if each user has their own salt value, perhaps just setting this to an empty string will suffice.

Failing that, write a page to enable a user to transition to the new system. You can direct users to a page when their login fails, and it would check their credentials against the old system, and create a new salt and hash for the new system.

Paul Dixon  2009-10-04 14:35:49
Each user does have their own salt value, I would imagine option two is the safest/best choice here. The first solution also means you'll be carrying code changes through every update, which while not necessarily a major problem, poses its own set of challenges over time.
Ross Duggan  2009-10-06 00:50:42
A: 

I don't know if this answer is too late, but you should be able to automatically transfer your passwords into vBulletin.

vBulletin generates its hashes this way:

$hash = md5(md5($plaintext) . $salt);

So, to transfer the users over, do roughly the following:

$salt = /* generate salt */;
$vb_hash = md5($your_old_hash . $salt);

To make it easy on yourself, use vBulletin's salt generation method. It's in the vB_DataManager_User class.

Conor McDermottroe  2010-02-04 20:09:57
A: 

this worked for me

md5(md5(passowrd).salt);

Arslan Hassan  2010-02-18 22:06:33
A: 

How do I find out what the salt value is? I also need to create password or import old ones. How do I get a valid salt value?

Arthur  2010-03-02 17:54:10

related questions

What are some good security questions?
What's a good alternative to security questions?
Protect embedded password
How do you generate passwords?
Should I impose a maximum length on passwords?
How best to generate a random string in Ruby
What is the best way to check the strength of a password?
In a client-server application: How to send to the DB the user's application password?
How does your company manage credentials?
Replacing plain text password for app
How to implement password protection for individual files?
Password generation, best practice
Unique key generation
Generating Random Passwords
Oracle lost sysdba password
How does one decrypt a PDF with an owner password, but no user password?
Storing Windows passwords.
How do I avoid having the database password stored in plaintext in sourcecode?
How do I write Firefox add-on that automatically enters proxy passwords?
How to store passwords in Winforms application?
Two-way password encryption without ssl
Disable browser 'Save Password' functionality
Simple password encryption
Best way to store a database password in a startup script / config file?
Encrypting Passwords