Not logged in. · Lost password · Register
Forum: Support General support RSS
mysql password store
Reply
Reply · Quote John (Guest) 2007-09-14, 01:38 #1
No profile available.
Link to this post
Subject: mysql password store
Has the latest version of unb changed its password settings? Reading back on old posts you would be mistaken for thinking that decoding hashed passwords would be easier than it is (I can't work it out). I found the sample password hashed code and typed in "password" as password and they didn't match. Instead I got: 179667ba1a7c515bA:51bf13e2e64be006 . This isn't the same as a base64 decode (see http://makcoder.sourceforge.net/demo/base64.php for example). I really need to get access to my passwords so that I can set up ancillary features using a single log in, please help as I've read everything and can't get it to work! :(
Avatar
Reply · Quote Yves (Administrator) 2007-09-14, 12:34 #2
User title: UNB developer & webmaster
Member since Jan 2004 · 3740 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
The way how passwords are stored in UNB hasn't changed for two years or so now.

Specifically the database password in the board configuration file is still simply base64-encoded, which is indicated by the "b64:" prefix (which of course does not belong to the base64 text, as it would be obviously invalid). The base64 encoding does not claim any security advantage, it's simply to avoid encoding problems in the file and that you can't read it at once if occasionally opening the config file with other eyes watching over your shoulder.

And you say "that decoding hashed passwords would be easier than it is" - you'll have to explain to me what you mean, I don't understand that sentence. (Syntactically fine but with no sense.)
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Reply · Quote John (Guest) 2007-09-14, 19:39 #3
No profile available.
Link to this post
By that I mean I thought that using php's base64encode/base64decode function would return an encoded string, which is to say if I typed "password" it would give me the encoded string, and if i plugged that back into base64decode it would give me "password" back. When I type this:

<?php
$str = "179667ba1a7c515bA:51bf13e2e64be006";
echo base64_decode($str);
?>

it gives me a different result than when I look up an account with "password" as password.

If I type "179667ba1a7c515bA:51bf13e2e64be006" into http://thephppro.com/tools/base64decode.php it comes back with rubbish, and this is from an account I set up with password as "password." So I'm not sure entirely how to go about decoding these passwords and I can't see a plaintext option anywhere for password storage.

I love the board though, it is very professionally done and I will be donating once I have this quirk sorted out
Reply · Quote visitor (Guest) 2007-09-14, 21:05 #4
No profile available.
Link to this post
Subject: donating?
I love the board though, it is very professionally done and I will be donating once I have this quirk sorted out

why not donate now?

Professionally done it is, and it seems less to be a 'quirk' than an inability to do something not directly on the features list :P

OTH, holding out the 'possibility' of maybe donating, will prompt them to get of their lazy asses, drop everything, and find your solution - maybe they'll even use Google or something!

I hope it works, as I am may donate myself, if someone can help me incorporate MSN msngr into my forum. :)
Reply · Quote John (Guest) 2007-09-14, 22:16 #5
No profile available.
Link to this post
The reason is because I will have to change messageboards if I can't find a way round this, it's central to my website as I don't want clients creating two seperate accounts to access similar content. I appreciate that this project- like many other open source projects- is done without asking for a fee and I think it's only right to give something back to projects that you would pay Microsoft or others to do to achieve the same job.
Avatar
Reply · Quote Yves (Administrator) 2007-09-15, 16:16 #6
User title: UNB developer & webmaster
Member since Jan 2004 · 3740 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
In reply to post #3
Quote by John:
<?php
$str = "179667ba1a7c515bA:51bf13e2e64be006";
echo base64_decode($str);
?>

This is not a valid base64 string because it has that ":" in it. Anyway, where did you get that "encoded" string from? It doesn't look as if it could come from UNB's db_pass configuration. Those usually begin with "b64:" and have a valid base64 string following.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Reply · Quote John (Guest) 2007-09-15, 18:10 #7
No profile available.
Link to this post
I think there's been a little bit of confusion, I'm talking about the forum accounts that people create. The passwords are 34 digits in length which suggests it's been encoded by kmd5. I know it's easy to say 'get in there and work it out yourself' but some of us don't have degrees in programming. I am trying to convert these 34 digit passwords back to plaintext but haven't managed to do so thus far
Avatar
Reply · Quote Yves (Administrator) 2007-09-15, 21:00 #8
User title: UNB developer & webmaster
Member since Jan 2004 · 3740 posts · Location: Erlangen, Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Aah, that's something totally different.

So, first here goes some terminology. "kmd5" is my abbreviation for "keyed md5". You know MD5, it's a cryptographically secure hashing function that can convert arbitrary text into a a so-called hash of a constant length. The thing that makes this function so interesting is that the hash cannot be converted back into plaintext without trying every possible combination and see whether the resulting hash code is the same. And this may take a very long time, depending on your hardware resources. But the problem with MD5 is that it's a commonly used hashing algorithm and there exist dictionaries for it containing common words and their hash value. This makes a reverse lookup considerably faster that it was intended.

So what I did to make it even more secure is that I added a random code that works as the "salt" in our hash soup. ;) It is added to the first MD5 hash and then, another MD5 hash is calculated over it all. (Obviously the salt must be stored with the second MD5 hash to be able to check it again. This makes the two extra bytes.) Reverse dictionaries would now also need an entry for every possible salt value in every possible combination. (It can be added at the beginning, at the end, and I insert it right into the middle. :D)

Long story short: There's no way you can "decrypt" a kmd5 hash into plaintext.

But there is another way you can go. UNB is quite flexible about what method is used to secure the passwords in the database. You can switch it back to standard one-pass MD5 and you can even make it store plaintext passwords with no protection to the database. It's not hard to change that though it requires you to modify one of the source files.

In the file unb_lib/session.lib.php, right at the beginning of the function UnbCreateUserPassword(), there's the following line:
  1. $method = 'kmd5';
You can exchange the value "kmd5" with "md5" or "plain" and UNB will use that method for any password that should be stored in the future. Of course, passwords that are already stored in the database cannot be converted, as I already explained. So if you already do have passwords, you can just ask (or force) your users to simply reset their password (it can even be the same, the main thing is that they set their password) and the new method will be used. When validating a password, e.g. for login, UNB wil understand each of the methods, so there's no need for all passwords to be encoded using the same method.

Security advice:
You should be aware that with the "plain" method your users' passwords are entirely unprotected against misuse, should somebody manage to get read access to your database. When using "md5", an attacker needs to manipulate his own browser cookies to log in as a user but he can't change passwords (because the current password is required to do that - except for administrators!). Only the method "kmd5" gives sufficient protection against it all. You may want to use my algorithm in your application though, if you like. It's all in the mentioned file.
♪ ...nanananah, all in all we’re just brilliant thieves, nanananah... ♪♬
Reply · Quote John (Guest) 2007-09-16, 02:31 #9
No profile available.
Link to this post
Thank you very much for taking the time to answer this query, it is greatly appreciated :D Everything is working very well now
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please note the verification code from the picture into the text field next to it.
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Reply

Go to forum
This board is powered by the Unclassified NewsBoard software, 20100516-dev, © 2003-10 by Yves Goergen
Page created in 268 ms (224 ms) · 73 database queries in 136 ms
Current time: 2010-07-30, 10:59:34 (UTC +02:00)