Social Engine Password Encryption Help

Question

Hi,

I want to make an other sign up page which is linked to the social engine database, but when i MD5 the password and store it in the se_users table, the user can't login, i believe that social engine have another encryption method, Can someone please give me a function to encrypt passwords the social engine way?

This is their function but i don't know how to implement it on my script:

function user_password_crypt($user_password)
{
global $setting;

if( !$this->user_exists )
{
  $method = $setting['setting_password_method'];
  $this->user_salt = randomcode($setting['setting_password_code_length']);
}

else
{
  $method = $this->user_info['user_password_method'];
}

// For new methods
if( $method>0 )
{
  if( !empty($this->user_salt) )
  {
    list($salt1, $salt2) = str_split($this->user_salt, ceil(strlen($this->user_salt) / 2));
    $salty_password = $salt1.$user_password.$salt2;
  }
  else
  {
    $salty_password = $user_password;
  }
}

$user_password_crypt = md5($salty_password);

return $user_password_crypt;
}

Thanks

Answer 1

They are appending and prepending salts to the password before they run it through MD5.

This is how the salt is generated, looks like a random string whose length is specified in the application configuration"

$this->user_salt = randomcode($setting['setting_password_code_length']);

Here they split one salt in half, and put the left side before the password, and the right side after"

list($salt1, $salt2) = str_split($this->user_salt, ceil(strlen($this->user_salt) / 2));
$salty_password = $salt1.$user_password.$salt2;

Now they hash the salted password:

$user_password_crypt = md5($salty_password);

What you would have to do, in order to decrypt this correctly, is to read the salt for that user.

$username = $POST['username'];
$password = $POST['password'];
$user = get_user_from_database($username);
list($salt1, $salt2) = str_split($user->salt, ceil(strlen($user->salt) / 2));

$salted_password = md5($salt1.$password.$salt2);

if($salted_password == $user->crypted_password) {
  echo "Login successful";
} else {
  echo "Invalid password";
}

Here is the Wikipedia page on salts in cryptography.

Answer 2

A couple things:

Are you storing the MD5 hash of the user password? According to the code you posted, Social Engine is salting the hash (a method to prevent rainbow tables).

As an side, an MD5 hash is not a cryptographically secure way to hash a password. Further, hashing passwords on login, and transmitting the hash is no more secure than passing the password in plain-text. In order to securely login, you will need to do your logins over HTTPS (or less correctly by encrypting the password)