[thelist] md5 hashed password problem
Bob Meetin
bobm at dottedi.biz
Fri Nov 7 08:57:44 CST 2008
Apparently yes. See:
http://www.joomlaaa.com/Joomla-Articles/What-kind-of-password-encryption-used-in-Joomla-1.5.html
Jon Molesa wrote:
> Does Joomla salt the password prior to storage?
>
> *On Thu, Nov 06, 2008 at 01:32:30PM -0700 Bob Meetin <bobm at dottedi.biz> wrote:
>
>
>> Date: Thu, 06 Nov 2008 13:32:30 -0700
>> From: Bob Meetin <bobm at dottedi.biz>
>> Subject: Re: [thelist] md5 hashed password problem
>> To: "thelist at lists.evolt.org" <thelist at lists.evolt.org>
>>
>> Hassan Schroeder wrote:
>>
>>> <tip type="MySQL" author="Hassan Schroeder">
>>>
>>> MySQL password authentication changed between 4.0 and 4.1.
>>>
>>> For compatibility an OLD_PASSWORD function is available on 4.1 and above,
>>> and a variable OLD_PASSWORDS = ["OFF","ON"] defines default behavior.
>>>
>>> If for some reason -- DB migration, consolidation of apps -- you have a
>>> mix of old- and new-style passwords and the MySQL instance is defaulted to
>>> the old password style, it's possible to set the OLD_PASSWORDS variable on
>>> a per-connection basis, so as not to affect possible older clients that
>>> need that compatibility, e.g.
>>>
>>> SET OLD_PASSWORDS="OFF";
>>>
>>> /* Thanks to Anthony Baratta for pointing out the length difference could
>>> be used to determine which routine to employ.
>>> */
>>>
>>> mysql> INSERT INTO users SET user='Fred',password=PASSWORD("bananas");
>>> Query OK, 1 row affected (0.12 sec)
>>>
>>> mysql> INSERT INTO users SET user='Barney',password=OLD_PASSWORD("bananas");
>>> Query OK, 1 row affected (0.02 sec)
>>>
>>> mysql> SELECT * FROM users;
>>> +----+--------+-------------------------------------------+
>>> | id | user | password |
>>> +----+--------+-------------------------------------------+
>>> | 1 | Fred | *9E303C97B1C59D393AFCCAEB156C148C1F9E0D67 |
>>> | 2 | Barney | 0b0d276260c19cd1 |
>>> +----+--------+-------------------------------------------+
>>>
>>> mysql> SELECT IF(LENGTH(password)=16,
>>> IF(password=OLD_PASSWORD("bananas"), true, false),
>>> IF(password=PASSWORD("bananas"),true, false)) AS result FROM users;
>>> +--------+
>>> | result |
>>> +--------+
>>> | 1 |
>>> | 1 |
>>> +--------+
>>>
>>> mysql> SELECT IF(LENGTH(password)=16,
>>> IF(password=OLD_PASSWORD("bagels"), true, false),
>>> IF(password=PASSWORD("bagels"),true, false)) AS result FROM users;
>>> +--------+
>>> | result |
>>> +--------+
>>> | 0 |
>>> | 0 |
>>> +--------+
>>>
>>> More info on MySQL encryption:
>>> <http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html>
>>>
>>> </tip>
>>>
>>>
>> It's been a while since this thread has surfaced. New project, new
>> twist. I have a site which is growing exponentially which I originally
>> designed with a custom registration scheme. It's grown to the point that
>> we've decided to transition to Joomla 1.5+ which using a different
>> encryption method. Wishing we had known this in advanced using the
>> Joomla method now does no good. I'd rather not hack the registration
>> screen itself (and method) but with 800+ users something has gotta give.
>>
>> I can undoubtedly create a custom form in Joomla to authenticate members
>> by going to the old passwords first (and create a joomla password), but
>> I'm not clear on not clear on how to switch login forms to joomla for
>> those who have successfully authenticated.
>>
>> Or perhaps I use a 'forgot password' technique? Ideas?
>>
>> --
>> Bob Meetin
>>
>>
>> --
>>
>> * * Please support the community that supports you. * *
>> http://evolt.org/help_support_evolt/
>>
>> For unsubscribe and other options, including the Tip Harvester
>> and archives of thelist go to: http://lists.evolt.org
>> Workers of the Web, evolt !
>>
>
>
--
Bob Meetin
www.dottedi.biz
303-926-0167
Hook up with me on Twitter, Facebook, LinkedIn, Plaxo Pulse and Bebo
or catch my blog at www.dottedi.biz/blog.php
Standards - you gotta love em - there are so many to choose from!
More information about the thelist
mailing list