creativiii Posted March 7, 2022 Posted March 7, 2022 My site currently makes heavy use of IPB for logging users into other parts of the site via oAuth. This is okay, but it makes it incredibly difficult to keep data synced between forum and the rest of the site. It's resulted in a lot of duplication and I'm currently looking at options to improve it. Ideally I'd like to simply allow the user to login using their email and password, but I can't find any information as to where the salt to decrypt those passwords is. I know that before IPB4, hashes were stored alongside passwords, and I can see these in my members table. But from IPB4 and the encryption system moving to blowfish, I can't seem to find any record whatsoever as to where this salt is stored. Any ideas?
CodingJungle Posted March 7, 2022 Posted March 7, 2022 the salt is apart of the password hash in the encryption scheme IPS 4 uses. $2y$10$ykiLOC/Lu24CIGUiJmH.1eYlIRvdfBhrd2qEBukwU4Qjmx1UWM96e the hashing algo used knows what to use as the salt when you go to compare the passwords to see if they match. creativiii 1
creativiii Posted March 7, 2022 Author Posted March 7, 2022 18 minutes ago, CodingJungle said: the salt is apart of the password hash in the encryption scheme IPS 4 uses. $2y$10$ykiLOC/Lu24CIGUiJmH.1eYlIRvdfBhrd2qEBukwU4Qjmx1UWM96e the hashing algo used knows what to use as the salt when you go to compare the passwords to see if they match. Riiight, that makes a lot more sense. How would I find out the exact settings IPB is using to encrypt passwords? I've got a basic example working locally, but my encoded password doesn't look anything like the one I can see in the database. const blf = require("blowfish-js"); const cry = require("crypto"); let key = cry.randomBytes(16); let iv = cry.randomBytes(8); let context = blf.key(key); let plaintext = "Testingpassword"; let ciphertext = blf.ofb(context, iv, Buffer.from(plaintext, "utf8")); let decrypted = blf.ofb(context, iv, ciphertext, true); console.log(ciphertext.toString("hex")); // e0f3339823e661e89918cf81056f9f console.log(decrypted.toString("utf8")); // Testingpassword I have no idea if blowfish encryption works the same from PHP to JS, sorry in advance if this doesn't make a lot of sense.
Solution creativiii Posted March 7, 2022 Author Solution Posted March 7, 2022 Nevermind! Figured it out. For future reference, this is how you compare IPB passwords from Node. const bcrypt = require("bcrypt"); // convert the hashing algorithm from 2y to 2a let encrypted = "$2a$10$ykiLOC/Lu24CIGUiJmH.1eYlIRvdfBhrd2qEBukwU4Qjmx1UWM96e"; let plaintext = "mypassword"; bcrypt.compare(plaintext, encrypted, function (err, result) { console.log(result); }); I verified this with my own password and it works 😁
Recommended Posts