[thelist] md5 hashed password problem

Stephen Rider evolt_org at striderweb.com
Wed Aug 15 09:24:02 CDT 2007 

There's a hole in the bucket, Dear Liza, Dear Liza.

I don't know how you could do this without knowing the passwords,  
which (I assume) you don't.  In fact, if there were a way to do it  
without the paswswords, I would have to conclude it was an insecure  
system you're using. ;)

Since it's only 20 accounts, I would suggest assigning new temporary  
passwords to the accounts, and have the account holders reset them to  
whatever they like on the next login.  Depending on how secure you  
need to be (is this a bank system or a newsletter?)  you could give  
them the new passwords via various methods -- from paper mail to  
"call me for your password".

OR... if the old system is still up, you might have them log into the  
old system to get their new temp password for the new system, with a  
"click here" link to the new system to reset it.

Stephen

On Aug 15, 2007, at 8:28 AM, Bob Meetin - 303-926-0167 -  
www.dottedi.biz wrote:

> PROBLEM:
>
> In moving a registration system from a shared hosting provider to
> another I ran into a problem with the passwords not authenticating.  I
> have gone to the old site and manually copied the encrypted password
> into the password field, very careful, no extra spaces.  Visually they
> look identical.
>
> *3BDC3D5E6C0386BD93B2C9F79C9B0D92D05714TT  ==> the encrypted  
> password in
> the mysql database appears identical on both sites/providers
>
> select * from members where login='some_member' AND
> password=PASSWORD('entered_password')
> select * from members where login='some_member' -->> this returns a  
> record
>
> If I run the select statement (above) on the login field only it  
> returns
> a record, meaning that it is connecting to the database and seeing the
> table correctly.  I set up an echo which echoes back what the user  
> types
> in, the entered password, and that seems to be fine.
>
> RESPONSE FROM SUPPORT:
>
> "This is because each server has an md5 function that deciphers  
> hashed passwords such as this. If you moved the scripts location on  
> your server it would work, but not if you move this to another  
> server. You will need to find some way to reset this file in the  
> database system."
>
> OK - this seems reasonable as an explanation, but still I'm rather  
> at a loss.  Can anyone recommend a worksround, a way to convert,  
> decrypt, whatever, so that I can transfer about 20 accounts to the  
> new provider without having to go through hoops with the members/ 
> shareholders?
>
> -Bob
>
>
>
> -- 
>
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !

More information about the thelist mailing list