Jump to content
MakeWebGames

Switching PW Encryption

TheMasterGeneral
 Share

Recommended Posts

TheMasterGeneral Newbie

TheMasterGeneral

Posted
Posted

So, recently I have added a function to my game that will allow user passwords to be encrypted in SHA-512. (Excessive? probably.) Currently, I have an option in the preferences menu to have users set their password manually, however, once I pull the plug on md5, those who have not set their passwords will be left in the dark.

Is it possible (without an entire game reset) to have users be able to automatically have their password changed upon logging in? (Example, user logs in, system checks for password, if MD5, password gets changed to SHA512. Next time they log in, the MD5 test will fail, but a second test will run for SHA512.)

I've taken a look at the authenticate.php file and tried a couple things, didn't really work. (Luckily I was on an offline client haha!)

Anyway, anyone got experience doing something like this? I'm at wit's end.

(And if its needed, MCCV2.0.5b)

Link to comment
Share on other sites
sniko Apprentice

sniko

Posted
Posted

Yes.

Add a new column to the users table to indicate they're using the old password encryption method.

ALTER TABLE `users` ADD COLUMN `encryption`  varchar(8) NOT NULL DEFAULT 'md5' AFTER `userpass`;

 

On globals.php, check they're using the old encryption method and send them to change their password

if( $ir['encryption'] == 'md5' AND $_SERVER['REQUEST_URI'] != '/preferences.php') {
  ob_clean(); //You might this and ob_start();
  header('Location: preferences.php?action=change_password');
  die;
}

 

Then, when they've changed their password, update the encryption value to SHA-512

Link to comment
Share on other sites
sniko Apprentice

sniko

Posted
Posted
Easier than Snikos.

http://stackoverflow.com/questions/14300696/check-if-string-is-an-md5-hash

Login submission

-> Check if users password is MD5 using the above regex

-> Update password to SHA

-> Finish logging them in.

To finish this off, you'd do;

 

hash('SHA512', md5($password))

 

You'd then needed to do the same elsewhere (my interpretation was pure SHA512 hash algo, and not a SHA512 of the md5 password)

Link to comment
Share on other sites
Guest

Guest

Posted
Posted
To finish this off, you'd do;

 

hash('SHA512', md5($password))

 

You'd then needed to do the same elsewhere (my interpretation was pure SHA512 hash algo, and not a SHA512 of the md5 password)

What? No god no. Just update the password you received from the form into SHA?

 

$password = $_POST['password'];
$shaPassword = hash('SHA512', $password);
$currentPass = mysql_query("SELECT password FROM users WHERE username = $_POST['username']");

 

Then after the auth

if(isMD5($currentPass))
{
   mysql_query("UPDATE users SET password = $shaPassword WHERE username = $_POST['username']");
}

 

Roughly what I mean.

Link to comment
Share on other sites
Coly010 Newbie

Coly010

Posted
Posted

I think what sniko posted is what he's looking for. I don't think he wants to SHA512 the md5 passwords, he wants to SHA512 the original ones.

Following what sniko said though, you could have an encryption column, enter md5 as default, when a user logs in store the original pass word in a a variable, if their encryption column is md5 then. hash it using md5 first, if this password matches the password in the database then its the correct password.

Therefore run a code block that SHA512 hashes the password, update the password field in the database to match the SHA512 hash, update the encryption field to say sha512 so next time a user logs in it checks the sha512 password instead.

Also, is there a problem using the password_hash() and password_verify() functions that come preloaded?

Link to comment
Share on other sites
Guest

Guest

Posted
Posted
I think what sniko posted is what he's looking for. I don't think he wants to SHA512 the md5 passwords, he wants to SHA512 the original ones.

Following what sniko said though, you could have an encryption column, enter md5 as default, when a user logs in store the original pass word in a a variable, if their encryption column is md5 then. hash it using md5 first, if this password matches the password in the database then its the correct password.

Therefore run a code block that SHA512 hashes the password, update the password field in the database to match the SHA512 hash, update the encryption field to say sha512 so next time a user logs in it checks the sha512 password instead.

Also, is there a problem using the password_hash() and password_verify() functions that come preloaded?

What's with the new column, adding more ****ty columns to an already ****ty structure...

Link to comment
Share on other sites
sniko Apprentice

sniko

Posted
Posted
What? No god no. Just update the password you received from the form into SHA?

 

$password = $_POST['password'];
$shaPassword = hash('SHA512', $password);
$currentPass = mysql_query("SELECT password FROM users WHERE username = $_POST['username']");

 

Then after the auth

if(isMD5($currentPass))
{
   mysql_query("UPDATE users SET password = $shaPassword WHERE username = $_POST['username']");
}

 

Roughly what I mean.

Oh I see. My bad.

Though, using a broken encryption method for passwords, should you consider all passwords insecure/leaked and force a change? I would.

Link to comment
Share on other sites
Coly010 Newbie

Coly010

Posted
Posted (edited)
What's with the new column, adding more ****ty columns to an already ****ty structure...

To determine what hash is being used?

Add a new column to the users table to indicate they're using the old password encryption method.

ALTER TABLE `users` ADD COLUMN `encryption`  varchar(8) NOT NULL DEFAULT 'md5' AFTER `userpass`;

 

I thought this was pretty self-explanatory... obviously not..

Either way, the way you posted or the way sniko posted, is a solution I believe.

The extra column just means you aren't running a test against an md5 version of the password followed by the sha512 version of it for the auth?

Edited by Coly010
Link to comment
Share on other sites
KyleMassacre Collaborator

KyleMassacre

Posted
Posted (edited)

You wouldn't need an external library for that

if(MD5($_POST['password']) == $currentpass) {
   //then update the password with the new requirements
}
else {
   //Then keep on keeping on
}

remeber the salt if using 2.0.5

Edited by KyleMassacre
remeber salt please
Link to comment
Share on other sites
Magictallguy Enthusiast

Magictallguy

Posted
Posted (edited) 
if($theUsersPassword != (md5($_POST['password']) || hash('sha512', $_POST['password'])))
   exit("Incorrect");
/*
Edit - addition to what Dayo said!
This part will need to go *below* 
$mem=$db->fetch_row($q); 
in authenticate.php
*/
if($theUsersPassword == md5($_POST['password']))
   $db->query("UPDATE users SET userpass = '".hash('sha512', $_POST['password'])."' WHERE userid = ".$mem['userid']);

No need to add anything to the database then.

You may wish to increase the `users`.`userpass` from a VARCHAR to a TEXT

Edited by Magictallguy
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...