Jump to content

Where is password salt stored?

Go to solution Solved by creativiii,

Recommended Posts

My site currently makes heavy use of IPB for logging users into other parts of the site via oAuth. This is okay, but it makes it incredibly difficult to keep data synced between forum and the rest of the site. It's resulted in a lot of duplication and I'm currently looking at options to improve it.

Ideally I'd like to simply allow the user to login using their email and password, but I can't find any information as to where the salt to decrypt those passwords is.

I know that before IPB4, hashes were stored alongside passwords, and I can see these in my members table. But from IPB4 and the encryption system moving to blowfish, I can't seem to find any record whatsoever as to where this salt is stored.

Any ideas?

Link to comment
Share on other sites

18 minutes ago, CodingJungle said:

the salt is apart of the password hash in the encryption scheme IPS 4 uses.


the hashing algo used knows what to use as the salt when you go to compare the passwords to see if they match. 

Riiight, that makes a lot more sense. 

How would I find out the exact settings IPB is using to encrypt passwords? I've got a basic example working locally, but my encoded password doesn't look anything like the one I can see in the database.

const blf = require("blowfish-js");
const cry = require("crypto");

let key = cry.randomBytes(16);
let iv = cry.randomBytes(8);
let context = blf.key(key);
let plaintext = "Testingpassword";
let ciphertext = blf.ofb(context, iv, Buffer.from(plaintext, "utf8"));
let decrypted = blf.ofb(context, iv, ciphertext, true);

console.log(ciphertext.toString("hex")); // e0f3339823e661e89918cf81056f9f
console.log(decrypted.toString("utf8")); // Testingpassword

I have no idea if blowfish encryption works the same from PHP to JS, sorry in advance if this doesn't make a lot of sense.

Link to comment
Share on other sites

  • Solution

Nevermind! Figured it out. For future reference, this is how you compare IPB passwords from Node.

const bcrypt = require("bcrypt");

// convert the hashing algorithm from 2y to 2a
let encrypted = "$2a$10$ykiLOC/Lu24CIGUiJmH.1eYlIRvdfBhrd2qEBukwU4Qjmx1UWM96e";
let plaintext = "mypassword";

bcrypt.compare(plaintext, encrypted, function (err, result) {

I verified this with my own password and it works 😁

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...