PDA

View Full Version : MD5 Encrypted Passwords


CoffeeMugDude
29 Jul 2001, 18:35
Being an old-fashioned sysadmin, I feel better in the mornings if I cannot view my user's passwords. :D

After installing vBulletin, I was disturbed to find that passwords were stored in cleartext. So, I made a couple of modifications, to ensure that only MD5 encrypted passwords were stored in the database.

I didn't think much of it at the time, I was sure someone had released a hack already. When browsing the VB forums, however, I found that a lot of people wanted a solution like mine.

The main issue of concern seemed to be "But now the lost-password function won't work!"

I put in place a random, "pronounceable password generator" (http://www.phpbuilder.com/columns/jesus19990502.php3) I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.

I chose MD5 because I'm fond of the concept of "one-way" encryption.

Now, no admin can see a member's password. :-)

Enjoy!

(Instructions, and a database-update script are included in the .zip file at http://www.coffeeintherain.com/scripts/md5_hack.zip )

thewitt
29 Jul 2001, 18:51
Though I have not installed it yet, just looking through the code and the installation instructions, it appears to be very well done!

You are a class act CoffeeMugDude.

Thank you!

-t

CoffeeMugDude
29 Jul 2001, 19:24
Oops, I thought I had posted this in the VB2 hacks forum :D

BTW, thanks thewitt!

ThomasP
29 Jul 2001, 19:58
Hi there,

yes, looks really clean & nice - very impressive!
Will install it asap the next days,

Thanks a bunch! :)
-Tom

pogo
02 Aug 2001, 12:10
Little mistake?

The changes in admin/session.php line 109 must be changed in your instructions.htm.

Then it's working fine for me.

VirtueTech
02 Aug 2001, 12:14
Written by CoffeeMugDude
I put in place a random, "pronounceable password generator" I found on PHPBuilder. When a user "loses" their password, a new, random password is generated and emailed to them, and the MD5 encrypted version is saved into the database.


After reading through your first sentences this was my first worry....And you nailed it....this sounds awesome!

Although I find it very helpful at times when dealing with the users to have their password visible for certain situations. Like testing their account as them etc.

pogo
02 Aug 2001, 13:57
Another one.

In member.php the whole "start update password" routine isn't handled.

Find// validate old password
if ($currentpassword!=$bbuserinfo[password]) {and replace it with// validate old password
if (md5($currentpassword)!=$bbuserinfo[password]) {Then find$DB_site->query("UPDATE user SET password='".addslashes($newpassword)."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");and replace it with$DB_site->query("UPDATE user SET password='".addslashes(md5($newpassword))."',usergroupid='$bbuserinfo[usergroupid]' WHERE userid='$bbuserinfo[userid]'");

creamy
17 Aug 2001, 10:34
ok first thanks for this hack, it totally rocks, and should be in vbulletin as a default feature, not hack...
i got it working now (i hope) but it took some screwing around... so i'm just putting what i did here so others can do the same:

1) do not edit the file sessions.php until AFTER you have run the update password script - you won't be able to log in to run the script if you do...

2) the file encrypt_all_passwords.php is messed up and will crash - search for "$DB_site_new" and replace with "$DB_site" before you run it...

3) the 2nd step of modifying admin/sessions.php is backwards - search for the 2nd part, and replace with the first!

4) the very last editing step says search for something and there is a '{' at the end... it shouldn't be there!!

5) ignore all line numbers - they refer to vbb 2.0.1!

6) do what Pogo says right above my post... he probably knows what he's talking about :) (but why didn't he complain about the encrypt_all_passwords.php file?)

now im gonna go see if my forum works still... i'll be back to whine and complain if it doesn't... :D

creamy
17 Aug 2001, 10:38
btw this hack seems better than the other encrypting one - i don't see why i would want to give ppl the choice of having their password in plaintext...

creamy
17 Aug 2001, 10:54
hmm
i made some more mistakes... don't do this:

when doing the first edit, don't take the first search match - you want to take the one at about line 115, in the "email a lost password" section (or whatever it is)

and its still not working 100% so i'll edit this later with more info

creamy
17 Aug 2001, 11:32
um, i can't fix the last part on my own... maybe someone who knows php can help :)

when you tell it to mail you a password, its supposed to generate one from a list of words and mail that one and store it in the database. it's getting stuck on the easy part - opening the list of words.
the instructions say:

Save the files "ppassgen.php", "encrypt_all_passwords.php", and "words.txt" to your VB "admin" directory.

You can use any word list to generate your random passwords, I used my system's /usr/dict/words. Just be sure to save your wordlist to "words.txt" in your "admin" directory.


well i did that, and i checked the chmod incase it matters, but even at 777 it doesn't work. i get this error instead:


Warning: fopen("words.txt","r") - No such file or directory in /home/mod-chi/public_html/admin/ppassgen.php on line 29

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 37

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 38

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 37

Warning: Supplied argument is not a valid File-Handle resource in /home/mod-chi/public_html/admin/ppassgen.php on line 38
(repeating forever)


the code in the first part of ppassgen.php is:


<?
/*
* function ppassgen()
* parameters:
* $words = the name of the file w/ the words (one per line)
* or and array of words
* $min = the minimum number of words per password
* $max = the maximum number of words per password
* $cutoff = the minimum number of characters per word
* $sep = separator for the words in the password
*/

function ppassgen($words= "words.txt", $min=2, $max=4, $cutoff=5, $sep= "_") {


// This is here for cases when we email a password from the admin control panel


if(is_array($words)) {
/* if we have passed and array of words, use it */
$word_arr = "words";
/*
while(list($k,$v) = each(${$word_arr})) {
echo "$k $v<BR>";
}
*/
} else {
/* read the external file into an array */
$fp = fopen($words, "r"); <---------------------------- LINE 29

if (!fp) {
echo "[ERROR}: Could not open file $words<BR>\n";
exit;
} else {
/* assuming words of up to 127 characters */
$word_arr = "ext_arr";
while(!feof($fp)) { <---------------------------- LINE 37
$tword = trim(fgets($fp,128)); <------------------- LINE 38


/* check for minimum length and for exclusion of numbers */
if ((strlen($tword) >= $cut_off) && !ereg( "[0-9]",$tword)) {
$ext_arr[] = strtolower($tword);
}
}
fclose($fp);
}
}




i already tried the following:
not putting quotes around the filename
putting a full path to the words.txt
putting a relative path to words.txt

with no success....

pogo
17 Aug 2001, 14:36
The full path works fine for mefunction ppassgen($words= "/full/path/to/words.txt", $min=2, $max=4, $cutoff=5, $sep= "_") {Yeah, I should have complained about the wrong encrypt_all_pass... file.
And don't forget to check the mod panel index.php. I think you have to modify something there too.

creamy
17 Aug 2001, 20:28
hmm
i might not have put /users/ or whatever at the start of my path, i'll try again...
you know what's the most annoying? this file has code in it to detect if the file open failed, but it's not working

creamy
22 Aug 2001, 08:07
yeah the absolute path to the file works fine...
only problem i have now is when i go to the control panel i have to log in again... dunno if i'm smart enough to figure whats wrong (cookie problem?)
i hope the vbulletin dudes put this in the code soon, i hate hacking my board!

joecrow
24 Aug 2001, 10:10
does this work with vb 2.0.3 ?

pogo
24 Aug 2001, 17:16
yepp.

Raptor
24 Aug 2001, 19:03
it seems pogo had some problems

has the install file been updated with the correct details ?

Raptor
24 Aug 2001, 19:47
i have installed this following creamy/pogos changes and it works 100% perfect

thanks

CoffeeMugDude
27 Aug 2001, 10:00
Hi folks,

I've been on holiday, so this whole thread happened in my absence. Thanks for the feedback. Is anyone still struggling? Would it help if I updated the instructions for 2.0.3 ?

creamy
27 Aug 2001, 10:36
yeah that would probably help a lot... this is a kick-ass hack so keeping it updated is good :)
do you think there could be a problem somewhere? read my earlier post about it making me login again to get into he control panel - this is still happening. not a big problem but might as well fix it if possible.

CoffeeMugDude
27 Aug 2001, 10:58
OK, I'll look at updating the hack this evening...

Umm.. Do you mean that when you access your CP, you are asked for your password, although you are cookied for the normal forums?

My VB has always behaved that way, but if it's optional, I'd suspect that it relates to cookies

creamy
27 Aug 2001, 11:04
correct
i think it's supposed to log you in right away if you're cookied... i'm only 99% sure ;)

CoffeeMugDude
27 Aug 2001, 11:12
Hmm...

I seem to remember reading somewhere about changing the cookie path if your VB path is not your domain. (I.e. "blahblah.com/forums/") I'd fiddle with that.

creamy
27 Aug 2001, 11:35
my forums are like this:
forums.myserver.com
i think you only change the cookie path thing in the control panel if you have server.com/forums1 and server.com/forums2 because then the cookie would be overwritten

WebMasterAJ
01 Sep 2001, 14:19
Hello all,

I installed the hack, and I am having a very strange problem. First, let me state that all the passwords are encrypted, and I can login.

However, I can not login to the admin! When I put in the correct user name and password, it just refreshes the page. However, if I put in an incorrect password, it tells me that its incorrect.

Again, I can login to anyplace on the boards except for the admin... please help!!

Thanks!

DarkReaper
05 Sep 2001, 15:41
I'm having that same exact problem. I'm using the old version of the hack, as I like it not to use dictionary words(not nearly as easy to hack) and it won't let me into the admin CP. Same thing as him, if my password is right, it refreshes the page, if its wrong, it says so...what's with this? :)

rebby
05 Sep 2001, 15:44
does anybody know if this is working it's way into vb 2.0.4 (or later) versions???

encrypted passwords are really the only way to go... i'm not sure why this wasn't the original scheme???

Raptor
26 Sep 2001, 13:37
could Coffeemugdude please post instructions how to de-install this hack

of course easy to revert script changes but what about decrypting all the passwords within the database so it puts everything back to the way it was before ?

rylin
06 Oct 2001, 13:40
Originally posted by Raptor
could Coffeemugdude please post instructions how to de-install this hack

of course easy to revert script changes but what about decrypting all the passwords within the database so it puts everything back to the way it was before ?

lol.. md5 aren't reversible ;)

your only hope would be if you had made a dump of the passwords & userids..

DarkReaper
06 Oct 2001, 20:39
The whole point of this is so that no-one can find the passwords if they're encrypted. If they could be decrypted, wouldn't that defeat the point? :)

Heineken77
08 Oct 2001, 20:37
Has this hack been automatically inserted into vB's v2.0.3 release? I don't see where you can see the passwords anywhere .. encrypted or not!

Heineken77
08 Oct 2001, 20:37
Has this hack been automatically inserted into vB's v2.0.3 release? I don't see where you can see the passwords anywhere .. encrypted or not!

Thanks!! :)
Heineken77

pogo
10 Oct 2001, 12:28
Heineken77 Edit your config.php to be able to see and change passwords.

pogo
10 Oct 2001, 12:34
I updated this hack to 2.0.3

I think I covered every password related part of the script. At least I hope so.

Now you can:
- change your password via usercp
- change the password via cp
- login during reply or new thread

Forgot anything? Please tell me.

Please get the words.txt from the old link!

Heineken77
11 Oct 2001, 01:00
Hey thank you very much for that bro!!

Just a question. What's the harm if admin can see passwords?

Thanks :)

hacker
11 Oct 2001, 03:19
Originally posted by Heineken77
Hey thank you very much for that bro!!

Just a question. What's the harm if admin can see passwords?

Thanks :)

I wouldn't feel confortable if the admin can see my passwords. What is some passwords are the same as my banking accounts, etc?

pogo
11 Oct 2001, 09:23
hacker Then you are very, very dumb.... ;)

hacker
11 Oct 2001, 15:59
Originally posted by Pogo
hacker Then you are very, very dumb.... ;)

Of course not, but if someone has access to the account, from there, he can snoop around and you will never know what info you have left around. There are people who use the same pwds simply because there are too many to remember.

I have a Cisco pix and a Cisco router for home and I encrypt everything...

Heineken77
11 Oct 2001, 20:57
LOL@Bank account ;) hehe

Thanks for the info guys!

Raptor
13 Oct 2001, 13:10
is it at all possible to set this hack up so admin CAN see the passwords but they are still encrypted in the DB ?

and pogo - can i simply overwrite the old version of this hack with your new one ?

i take it i dont have to encrypt the passwords again as of course they are already done

Raptor
13 Oct 2001, 14:44
i think the sessions changes are the wrong way around ?

Raptor
02 Nov 2001, 21:52
Is there a way to upgrade to vb2.2.0 ?

There has been a description posted here for another MD5 hack : http://www.vbulletin.org/forum/showthread.php?s=&threadid=32000

Raptor
03 Nov 2001, 00:09
done :)

how to posted in the above link