Jibeji Posted November 14, 2020 Posted November 14, 2020 (edited) Hi, I am closing my IPB forum which is not used anymore. However, I would like to keep the existing members database which is used for another section of my website, without asking them to change their password. I'd consequently like to use the same password algorythm as in IPB on my own authentication system, just by keeping name, email, members_pass_hash, members_pass_salt from the database. My question is : do you know how are the passwords managed in IPB ? Any help would be appreciated. Edit As from the public function updatePassword(), it looks like the pass_hash is : $new_pass = md5( md5( $member['members_pass_salt'] ) . $new_md5_pass ); But the hash stored in the Database seem to be the result of a password_hash() function. Edited November 14, 2020 by Jibeji
Martin A. Posted November 16, 2020 Posted November 16, 2020 password_verify( $input, $storedPassHash ) https://www.php.net/manual/en/function.password-verify.php There's a bit more too it, mostly related to verifying and converting legacy passwords. See /system/Login/Handler/Standard/Standard.php, method authenticatePasswordForMember(), and /system/Member/Member.php, method verifyLegacyPassword(). Not sure where you got that updatePassword() method from. I don't have anything like that on my 4.5 install.
patrick24000 Posted November 19, 2020 Posted November 19, 2020 (edited) sorry, wrong post Edited November 19, 2020 by patrick24000
Jibeji Posted November 19, 2020 Author Posted November 19, 2020 (edited) Hi Martin, Here is the code for method verifyLegacyPassword() in my installatation : public function verifyLegacyPassword( $password ) { return \IPS\Login::compareHashes( $this->members_pass_hash, md5( md5( $this->members_pass_salt ) . md5( \IPS\Request::legacyEscape( $password ) ) ) ); } It looks pretty much the same as updatePassword() that I found in /admin/sources/base/ipsMember.php Edited November 19, 2020 by Jibeji
Martin A. Posted November 20, 2020 Posted November 20, 2020 It is quite important to mention what version you are using, especially when not on the latest. Looks like you are still on the 3.x series. 'members_pass_hash' is the result of 'md5( md5( unique salt ), md5( plaintext password ) )'. Look at "authenticateMember" in the ipsMember.php file.
Recommended Posts