[thelist] md5 hashed password problem
Jon Molesa
rjmolesa at consoltec.net
Thu Nov 6 15:17:49 CST 2008
Does Joomla salt the password prior to storage?
*On Thu, Nov 06, 2008 at 01:32:30PM -0700 Bob Meetin <bobm at dottedi.biz> wrote:
> Date: Thu, 06 Nov 2008 13:32:30 -0700
> From: Bob Meetin <bobm at dottedi.biz>
> Subject: Re: [thelist] md5 hashed password problem
> To: "thelist at lists.evolt.org" <thelist at lists.evolt.org>
>
> Hassan Schroeder wrote:
> > <tip type="MySQL" author="Hassan Schroeder">
> >
> > MySQL password authentication changed between 4.0 and 4.1.
> >
> > For compatibility an OLD_PASSWORD function is available on 4.1 and above,
> > and a variable OLD_PASSWORDS = ["OFF","ON"] defines default behavior.
> >
> > If for some reason -- DB migration, consolidation of apps -- you have a
> > mix of old- and new-style passwords and the MySQL instance is defaulted to
> > the old password style, it's possible to set the OLD_PASSWORDS variable on
> > a per-connection basis, so as not to affect possible older clients that
> > need that compatibility, e.g.
> >
> > SET OLD_PASSWORDS="OFF";
> >
> > /* Thanks to Anthony Baratta for pointing out the length difference could
> > be used to determine which routine to employ.
> > */
> >
> > mysql> INSERT INTO users SET user='Fred',password=PASSWORD("bananas");
> > Query OK, 1 row affected (0.12 sec)
> >
> > mysql> INSERT INTO users SET user='Barney',password=OLD_PASSWORD("bananas");
> > Query OK, 1 row affected (0.02 sec)
> >
> > mysql> SELECT * FROM users;
> > +----+--------+-------------------------------------------+
> > | id | user | password |
> > +----+--------+-------------------------------------------+
> > | 1 | Fred | *9E303C97B1C59D393AFCCAEB156C148C1F9E0D67 |
> > | 2 | Barney | 0b0d276260c19cd1 |
> > +----+--------+-------------------------------------------+
> >
> > mysql> SELECT IF(LENGTH(password)=16,
> > IF(password=OLD_PASSWORD("bananas"), true, false),
> > IF(password=PASSWORD("bananas"),true, false)) AS result FROM users;
> > +--------+
> > | result |
> > +--------+
> > | 1 |
> > | 1 |
> > +--------+
> >
> > mysql> SELECT IF(LENGTH(password)=16,
> > IF(password=OLD_PASSWORD("bagels"), true, false),
> > IF(password=PASSWORD("bagels"),true, false)) AS result FROM users;
> > +--------+
> > | result |
> > +--------+
> > | 0 |
> > | 0 |
> > +--------+
> >
> > More info on MySQL encryption:
> > <http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html>
> >
> > </tip>
> >
> It's been a while since this thread has surfaced. New project, new
> twist. I have a site which is growing exponentially which I originally
> designed with a custom registration scheme. It's grown to the point that
> we've decided to transition to Joomla 1.5+ which using a different
> encryption method. Wishing we had known this in advanced using the
> Joomla method now does no good. I'd rather not hack the registration
> screen itself (and method) but with 800+ users something has gotta give.
>
> I can undoubtedly create a custom form in Joomla to authenticate members
> by going to the old passwords first (and create a joomla password), but
> I'm not clear on not clear on how to switch login forms to joomla for
> those who have successfully authenticated.
>
> Or perhaps I use a 'forgot password' technique? Ideas?
>
> --
> Bob Meetin
>
>
> --
>
> * * Please support the community that supports you. * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
--
Jon Molesa
rjmolesa at consoltec.net
if you're bored or curious
http://rjmolesa.com
More information about the thelist
mailing list