Gen. Password Hash

lordtron · May 13, 2009, 05:03:27 AM

SMF: 2.0

I have been looking for the past few days. Maybe not hard enough I don't now, but I hope to soon find out.

How do you generate a the Password Hash?

I created my own form for users to register. It had to be custom made and designed. Because only 1 set of users(2 groups) will be using it. All other users will be using the default register form. So if anyone can help me with this, it will help greatly.

Tristan Perry · May 13, 2009, 05:24:47 AM

The SMF passwords use sha1() and a salt:

Code Select

sha1(strtolower($username) . $_POST['passwrd1'])

To check this for yourself, do a search (with a powerful text editor or Dreamweaver etc) in all the /Sources/ files for "sha1(strtolower("

lordtron · May 13, 2009, 05:50:58 AM

You have to be kidding me. That is it. I thought it would be some 100 line piece of code I would have to use to do this process. Only 17-+ characters for this process, lol

Wait how do I get the salt???

[SiNaN] · May 13, 2009, 06:10:13 AM

Username acts as the salt here. So you just concatenate lowercased username and the pure password and hash them with sha1(). That's all.

lordtron · May 13, 2009, 06:14:52 AM

Yeah I am looking at it and they are not matching up.

I used this

$name = 'quick';
$offerI = 'reply';
$usern = sha1(strtolower($name) . $offerI);

And the hashes don't match up.

[SiNaN] · May 14, 2009, 10:47:23 AM

Which hashes do not match? In your example you have just one.

If you mean that, you have a user with member name (not real name) "quick" and password is "reply"; password field in the DB *will* be same as the result you get with $usern.

lordtron · May 14, 2009, 04:58:51 PM

I used this example to output a hash and I made a user in my database with the same name and like I said, they do not match.

After I do this if the user logs-in the hash gets fixed but the user is not really logged in yet. So they have to log-in a 2nd time to really be logged it. But that is not the problem. The problem is the hash, I used your exact coding and it still does not work.

[SiNaN] · May 15, 2009, 07:50:24 AM

There is also the 'password_salt' field in smf_members table which is used for hashing the password in the login cookie. It is created by substr(md5(mt_rand()), 0, 4).

lordtron · May 15, 2009, 09:04:32 AM

Will that fix the password hashing problem I am having?

[SiNaN] · May 15, 2009, 09:26:57 AM

Well, not having the password_salt wouldn't require you to login twice AFAIK.

QuoteI made a user in my database with the same name and like I said

You manually created an account with member_name "quick" and set the password as the has you get with sha1(strtolower({member_name}) . {password})? Or you used a different method to create the account?

Quotethey do not match

Well, what and what do not match?

lordtron · May 15, 2009, 09:43:24 AM

I manually created the account.
With the username of 'quick' and password of 'reply.

If I use 'sha1(strtolower({member_name}) . {password})' then the password will not work at all.
If I use 'sha1(strtolower({member_name}))' then the password still works, but the user has to login twice. Once to fix the password(database side, not user), then 2nd to actually login.

I matched the password hash of 'sha1(strtolower({member_name}))' with what the database changed it to and they don't match.
I matched the password hash of 'sha1(strtolower({member_name}) . {password})' with what the database changed it to and they don't match.

[SiNaN] · May 16, 2009, 06:45:42 AM

Okay. What's the result do you get when you use these codes?

Code Select

$member_name = 'quick';
$password = 'reply';
$hash = sha1($member_name . $password);
var_dump($hash);

lordtron · May 16, 2009, 02:54:41 PM

I get

Code Select

string(40) "064104817c338a5ecfb0ee183fbf1c1baba5242e"

Alright I created a new account with the above given username/password(hashed) and it allows me to login. But if I try to fix accounts that have already been created(password is not hashed), by hashing the password, it keeps saying the password is not correct.

[SiNaN] · May 17, 2009, 06:39:14 AM

Quote from: lordtron on May 16, 2009, 02:54:41 PM
I get
Code Select Expand
string(40) "064104817c338a5ecfb0ee183fbf1c1baba5242e"

Alright I created a new account with the above given username/password(hashed) and it allows me to login.

I get the same too. So there is no problem with that and as you said it works. Out of curiosity, what you used before to get the hash, which didn't work before?

Quote from: lordtron on May 16, 2009, 02:54:41 PM
But if I try to fix accounts that have already been created(password is not hashed), by hashing the password, it keeps saying the password is not correct.

Note that the member name should be lowercased. In the example I gave, I didn't do it as the member name was already lowercase. Try with this code:

Code Select

$member_name = {member_name};
$password = {raw_password};
$hash = sha1(strtolower($member_name) . $password);
var_dump($hash);

If you won't be able to get it working, would you give an example account information that doesn't work?

lordtron · May 17, 2009, 08:45:46 AM

Alright that seemed to do the trick. Thanks a lot.

prathyush · July 23, 2009, 12:06:50 PM

Hi friend, I am in same problem..I would like to have your help to generate a password.. currently I am using code like

'passwd' =>sha1(strtolower($user).$password),
'password_salt' =>substr(md5(rand()), 0, 4) ,

but I could not login at all... please tell what is the wrong with above code

thanks

News:

Gen. Password Hash