Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Forum Module

Discuss the Forum Module.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Change password algorithm?


Go to End
Reply

10 Posts   2848 Views

Avatar
dompie

24 February 2011 at 1:37am (Last edited: 24 February 2011 1:38am), Community Member, 88 Posts

Hello,

I'm new to the forum module, is it possible to change the password encryption algorithm to md5? I have to import an old forum to silverstripe, where the passwords were stored as md5 hash. Any ideas how to solve this problem, besides of allowing to store md5 passwords in silverstripe?

Regards

Avatar
Willr

24 February 2011 at 8:36pm Forum Moderator, 5511 Posts

You can set the PasswordEncryption to md5 manually on a member by member basis by setting the 'PasswordEncryption' field in the database for the user. Or when you run your importer set $member->PasswordEncryption = 'md5'; You'll need to test it fully though.

Avatar
dompie

25 February 2011 at 3:24am Community Member, 88 Posts

Hi Willr, thanks for answering.

I have used CSV import from the security admin with the recommended file layout (see attachment).
Moreover I tried with md5 and md5_v2.4 as PasswordEncription string, but could not log in anyway after import (even after deleting salt or changing the hash manually in DB tables). I could only log in after changing the password by hand in the security panel for the imported user.

You wrote, I should use $member->PasswordEncryption ... by writing a standalone import script?

Attached Files
Avatar
dompie

25 February 2011 at 5:29am Community Member, 88 Posts

Awww, I glanced at the onBeforeWrite function of Member class. I suppose SS encrypts the already encrypted password with a randomly generated salt. That's why my login credentials are not working. Is there a way to tell silverstripe "do not encrypt the provided password" ?

Any advice welcome.

Avatar
Willr

25 February 2011 at 12:31pm Forum Moderator, 5511 Posts

Ah right the salt, should always use a salt as well as a hash :). Though could you just set the salt column to be '' which I would do nothing to the string?

Avatar
dompie

25 February 2011 at 11:36pm Community Member, 88 Posts

Well, it turned out that importing md5 hashed passwords and using them right away is not possible in Silverstripe. It either adds unwanted salts, calculates some special base_converts or requires an unhashed password at some point of the process.

After spotting that it was no problem anymore to write an own PasswordEncryptor, now password import works as intended.

Thanks for your suggestions! :)

Avatar
Willr

26 February 2011 at 12:17pm Forum Moderator, 5511 Posts

After spotting that it was no problem anymore to write an own PasswordEncryptor, now password import works as intended.

It would be great if you could write up a documentation page to explain how to do this as I am sure someone else will run into this issue.

Avatar
beezer

17 June 2011 at 3:20am Community Member, 16 Posts

Hi dompie,

I am setting up an API to manage co-registrations from another site. They will send usernames and ready salted md5 passwords, so if you wouldn't mind posting your solution that would be really helpful.

Cheers

Go to Top