[thelist] md5 hashed password problem

Jon Molesa rjmolesa at consoltec.net
Thu Nov 6 15:17:49 CST 2008


Does Joomla salt the password prior to storage?

*On Thu, Nov 06, 2008 at 01:32:30PM -0700 Bob Meetin <bobm at dottedi.biz> wrote:

> Date: Thu, 06 Nov 2008 13:32:30 -0700
> From: Bob Meetin <bobm at dottedi.biz>
> Subject: Re: [thelist] md5 hashed password problem
> To: "thelist at lists.evolt.org" <thelist at lists.evolt.org>
> 
> Hassan Schroeder wrote:
> > <tip type="MySQL" author="Hassan Schroeder">
> >
> > MySQL password authentication changed between 4.0 and 4.1.
> >
> > For compatibility an OLD_PASSWORD function is available on 4.1 and above,
> > and a variable OLD_PASSWORDS = ["OFF","ON"] defines default behavior.
> >
> > If for some reason -- DB migration, consolidation of apps -- you have a
> > mix of old- and new-style passwords and the MySQL instance is defaulted to
> > the old password style, it's possible to set the OLD_PASSWORDS variable on
> > a per-connection basis, so as not to affect possible older clients that
> > need that compatibility, e.g.
> >
> >   SET OLD_PASSWORDS="OFF";
> >
> > /* Thanks to Anthony Baratta for pointing out the length difference could
> >    be used to determine which routine to employ.
> >  */
> >
> > mysql> INSERT INTO users SET user='Fred',password=PASSWORD("bananas");
> > Query OK, 1 row affected (0.12 sec)
> >
> > mysql> INSERT INTO users SET user='Barney',password=OLD_PASSWORD("bananas");
> > Query OK, 1 row affected (0.02 sec)
> >
> > mysql> SELECT * FROM users;
> > +----+--------+-------------------------------------------+
> > | id | user   | password                                  |
> > +----+--------+-------------------------------------------+
> > |  1 | Fred   | *9E303C97B1C59D393AFCCAEB156C148C1F9E0D67 |
> > |  2 | Barney | 0b0d276260c19cd1                          |
> > +----+--------+-------------------------------------------+
> >
> > mysql> SELECT IF(LENGTH(password)=16,
> > IF(password=OLD_PASSWORD("bananas"), true, false),
> > IF(password=PASSWORD("bananas"),true, false)) AS result FROM users;
> > +--------+
> > | result |
> > +--------+
> > |      1 |
> > |      1 |
> > +--------+
> >
> > mysql> SELECT IF(LENGTH(password)=16,
> > IF(password=OLD_PASSWORD("bagels"), true, false),
> > IF(password=PASSWORD("bagels"),true, false)) AS result FROM users;
> > +--------+
> > | result |
> > +--------+
> > |      0 |
> > |      0 |
> > +--------+
> >
> > More info on MySQL encryption:
> > <http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html>
> >
> > </tip>
> >   
> It's been a while since this thread has surfaced. New project, new 
> twist. I have a site which is growing exponentially which I originally 
> designed with a custom registration scheme. It's grown to the point that 
> we've decided to transition to Joomla 1.5+ which using a different 
> encryption method. Wishing we had known this in advanced using the 
> Joomla method now does no good. I'd rather not hack the registration 
> screen itself (and method) but with 800+ users something has gotta give.
> 
> I can undoubtedly create a custom form in Joomla to authenticate members 
> by going to the old passwords first (and create a joomla password), but 
> I'm not clear on not clear on how to switch login forms to joomla for 
> those who have successfully authenticated.
> 
> Or perhaps I use a 'forgot password' technique? Ideas?
> 
> -- 
> Bob Meetin
> 
> 
> -- 
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester 
> and archives of thelist go to: http://lists.evolt.org 
> Workers of the Web, evolt ! 

-- 
Jon Molesa
rjmolesa at consoltec.net
if you're bored or curious
http://rjmolesa.com


More information about the thelist mailing list