Registering members - MD5 to sha1?

freediver · March 27, 2008, 12:50:02 PM

I am using smf_api.php to integrate smf into my CMS. Log in works fine.

Now I want to register all of my CMS members to SMF.

There is smf_registerMember() function in the api but it takes raw password.

The problem I have is that my CMS stores the passwords in MD5. As I understand SMF uses sha1. I could not find any way to convert from one to other.

Any idea or work around this problem is greatly appreciated!

Kindred · March 27, 2008, 03:26:50 PM

you have the md5 password, then decrypt it and pass it to the function

freediver · March 28, 2008, 10:01:39 AM

But how do I decrypt MD5 password? It's supposed to be one way only.

H · March 28, 2008, 02:41:33 PM

Indeed md5 is a hash and therefore one-way. I believe SMF has some md5 compatibility code in it but I'm not sure how you would go about using it

Kindred · March 28, 2008, 03:07:54 PM

hmmm... yeah.

The only time that the password is NOT encrypted is during entry from the user in the login form.

Orstio · March 28, 2008, 07:13:07 PM

SMF can read the MD5 password. You can write that straight into the SMF password field.

When a user with the MD5 hash attempts to login to SMF, they will get the message "Password security has recently been upgraded. Please login again." When they login the second time, SMF will rewrite the password hash as SHA1, and they will never have to worry about it again.

freediver · March 29, 2008, 07:20:52 AM

So the solution is to pass MD5 password to smf_registerMember() and wait for the next login.

Thanks for help

Ranger135xp · March 31, 2008, 08:26:11 PM

Quote from: Orstio on March 28, 2008, 07:13:07 PM
SMF can read the MD5 password. You can write that straight into the SMF password field.

When a user with the MD5 hash attempts to login to SMF, they will get the message "Password security has recently been upgraded. Please login again." When they login the second time, SMF will rewrite the password hash as SHA1, and they will never have to worry about it again.

that can't be true, i just tried it and it failed the login

Orstio · March 31, 2008, 08:34:25 PM

Are you using smf_api.php for logging in as well?

Ranger135xp · March 31, 2008, 09:59:08 PM

the more and more i read these threads i keep hearing about that file. what exactly is it anyway? (if you could kindly help me, srry for not knowing)

Orstio · March 31, 2008, 10:01:43 PM

It's a separate API file for help with some integrations. I'm not very experienced with it myself.

So, you copied a MD5 hash directly from another script, and the login failed?

Ranger135xp · April 01, 2008, 12:13:40 AM

oh, so u mean the api's function of smf_registerMember() can take an md5 hash and convert it to smf's sha1?

if so many people use md5 and not sha1, we should find a way to make this easier on users. maybe convert back down to md5? i personally think md5 is sufficient, along with every other one-way hash, but y use something not common, or not make the integration simpler?

well, little do i know about y this method was chosen, but im just speaking as a possible helpful user of this wonderful forum.

Panzer- · April 03, 2008, 01:37:43 AM

I thought there was an argument in that smf register function which allows you to say whether the password is md5 encrypted or not..?

News:

Registering members - MD5 to sha1?

Orstio

Orstio

Orstio