1
votes

I coded an external authentication in PHP and it works for 99% of all users. However the authentication doesn't work for the other 1% which is quite a lot in absolute numbers. I already wrote IPB but they are not able to help me.

I located that the reason is the way I try to rebuild the md5 hash. Please again note that I am using the exact same way as recommended by IPB ( https://www.invisionpower.com/support/guides/_/advanced-and-developers/miscellaneous/passwords-in-ipboard-r130 ). The following code example shows an example where the created md5 DIFFERS from the md5 in the database. The normal login at forum works with this password though.

<?php
    $md5 = 'e69618bbe9850fbaf633014f84b8f040';
    $salt = '}i3#W';
    $plainpass = 'Wv&Txq,LYD-su_6';

    $saltedPassword = md5( md5($salt) . md5($plainpass) );
    echo "Desired result: $md5 , actual result: $saltedPassword";
?>

How can I reach my desired md5? I guess it has something to do with the user's password or user's salt. Thus it is working for 99% of all users, but not for this example and other users.

1

1 Answers

0
votes

With the IPB4 release they update all old passwords to blowfish encryption. However this only happens once the user logs into the forum suite. Until then the old password encryption will remain. So in fact you have to check if it's a md5 salted password or if the password is encrypted with blowfish (see below).

As of IPB4 release the password encryption changed from salted MD5 to Blowfish:

/* $password is the raw password and $salt is the salt returned from fetchSalt */
crypt( $password, '$2a$13$' . $salt );

$2a$13$ refers to the salt prefix and a pre-determined cost factor that should not be altered.