TheMasterGeneral Posted May 6, 2015 Share Posted May 6, 2015 So, recently I have added a function to my game that will allow user passwords to be encrypted in SHA-512. (Excessive? probably.) Currently, I have an option in the preferences menu to have users set their password manually, however, once I pull the plug on md5, those who have not set their passwords will be left in the dark. Is it possible (without an entire game reset) to have users be able to automatically have their password changed upon logging in? (Example, user logs in, system checks for password, if MD5, password gets changed to SHA512. Next time they log in, the MD5 test will fail, but a second test will run for SHA512.) I've taken a look at the authenticate.php file and tried a couple things, didn't really work. (Luckily I was on an offline client haha!) Anyway, anyone got experience doing something like this? I'm at wit's end. (And if its needed, MCCV2.0.5b) Quote Link to comment Share on other sites More sharing options...
sniko Posted May 6, 2015 Share Posted May 6, 2015 Yes. Add a new column to the users table to indicate they're using the old password encryption method. ALTER TABLE `users` ADD COLUMN `encryption` varchar(8) NOT NULL DEFAULT 'md5' AFTER `userpass`; On globals.php, check they're using the old encryption method and send them to change their password if( $ir['encryption'] == 'md5' AND $_SERVER['REQUEST_URI'] != '/preferences.php') { ob_clean(); //You might this and ob_start(); header('Location: preferences.php?action=change_password'); die; } Then, when they've changed their password, update the encryption value to SHA-512 Quote Link to comment Share on other sites More sharing options...
Guest Posted May 6, 2015 Share Posted May 6, 2015 Easier than Snikos. http://stackoverflow.com/questions/14300696/check-if-string-is-an-md5-hash Login submission -> Check if users password is MD5 using the above regex -> Update password to SHA -> Finish logging them in. Quote Link to comment Share on other sites More sharing options...
sniko Posted May 6, 2015 Share Posted May 6, 2015 Easier than Snikos. http://stackoverflow.com/questions/14300696/check-if-string-is-an-md5-hash Login submission -> Check if users password is MD5 using the above regex -> Update password to SHA -> Finish logging them in. To finish this off, you'd do; hash('SHA512', md5($password)) You'd then needed to do the same elsewhere (my interpretation was pure SHA512 hash algo, and not a SHA512 of the md5 password) Quote Link to comment Share on other sites More sharing options...
Guest Posted May 6, 2015 Share Posted May 6, 2015 To finish this off, you'd do; hash('SHA512', md5($password)) You'd then needed to do the same elsewhere (my interpretation was pure SHA512 hash algo, and not a SHA512 of the md5 password) What? No god no. Just update the password you received from the form into SHA? $password = $_POST['password']; $shaPassword = hash('SHA512', $password); $currentPass = mysql_query("SELECT password FROM users WHERE username = $_POST['username']"); Then after the auth if(isMD5($currentPass)) { mysql_query("UPDATE users SET password = $shaPassword WHERE username = $_POST['username']"); } Roughly what I mean. Quote Link to comment Share on other sites More sharing options...
Coly010 Posted May 6, 2015 Share Posted May 6, 2015 I think what sniko posted is what he's looking for. I don't think he wants to SHA512 the md5 passwords, he wants to SHA512 the original ones. Following what sniko said though, you could have an encryption column, enter md5 as default, when a user logs in store the original pass word in a a variable, if their encryption column is md5 then. hash it using md5 first, if this password matches the password in the database then its the correct password. Therefore run a code block that SHA512 hashes the password, update the password field in the database to match the SHA512 hash, update the encryption field to say sha512 so next time a user logs in it checks the sha512 password instead. Also, is there a problem using the password_hash() and password_verify() functions that come preloaded? Quote Link to comment Share on other sites More sharing options...
Guest Posted May 6, 2015 Share Posted May 6, 2015 I think what sniko posted is what he's looking for. I don't think he wants to SHA512 the md5 passwords, he wants to SHA512 the original ones. Following what sniko said though, you could have an encryption column, enter md5 as default, when a user logs in store the original pass word in a a variable, if their encryption column is md5 then. hash it using md5 first, if this password matches the password in the database then its the correct password. Therefore run a code block that SHA512 hashes the password, update the password field in the database to match the SHA512 hash, update the encryption field to say sha512 so next time a user logs in it checks the sha512 password instead. Also, is there a problem using the password_hash() and password_verify() functions that come preloaded? What's with the new column, adding more ****ty columns to an already ****ty structure... Quote Link to comment Share on other sites More sharing options...
sniko Posted May 6, 2015 Share Posted May 6, 2015 What? No god no. Just update the password you received from the form into SHA? $password = $_POST['password']; $shaPassword = hash('SHA512', $password); $currentPass = mysql_query("SELECT password FROM users WHERE username = $_POST['username']"); Then after the auth if(isMD5($currentPass)) { mysql_query("UPDATE users SET password = $shaPassword WHERE username = $_POST['username']"); } Roughly what I mean. Oh I see. My bad. Though, using a broken encryption method for passwords, should you consider all passwords insecure/leaked and force a change? I would. Quote Link to comment Share on other sites More sharing options...
Coly010 Posted May 6, 2015 Share Posted May 6, 2015 (edited) What's with the new column, adding more ****ty columns to an already ****ty structure... To determine what hash is being used? Add a new column to the users table to indicate they're using the old password encryption method. ALTER TABLE `users` ADD COLUMN `encryption` varchar(8) NOT NULL DEFAULT 'md5' AFTER `userpass`; I thought this was pretty self-explanatory... obviously not.. Either way, the way you posted or the way sniko posted, is a solution I believe. The extra column just means you aren't running a test against an md5 version of the password followed by the sha512 version of it for the auth? Edited May 6, 2015 by Coly010 Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted May 6, 2015 Share Posted May 6, 2015 (edited) You wouldn't need an external library for that if(MD5($_POST['password']) == $currentpass) { //then update the password with the new requirements } else { //Then keep on keeping on } remeber the salt if using 2.0.5 Edited May 6, 2015 by KyleMassacre remeber salt please Quote Link to comment Share on other sites More sharing options...
TheMasterGeneral Posted May 6, 2015 Author Share Posted May 6, 2015 Awesome! Seems to work. Thanks everyone! (Did what Sniko suggested, minus the sha512 the md5) Quote Link to comment Share on other sites More sharing options...
Zettieee Posted May 6, 2015 Share Posted May 6, 2015 I liked kyles way :x so simple! yet works. Quote Link to comment Share on other sites More sharing options...
Magictallguy Posted May 6, 2015 Share Posted May 6, 2015 (edited) if($theUsersPassword != (md5($_POST['password']) || hash('sha512', $_POST['password']))) exit("Incorrect"); /* Edit - addition to what Dayo said! This part will need to go *below* $mem=$db->fetch_row($q); in authenticate.php */ if($theUsersPassword == md5($_POST['password'])) $db->query("UPDATE users SET userpass = '".hash('sha512', $_POST['password'])."' WHERE userid = ".$mem['userid']); No need to add anything to the database then. You may wish to increase the `users`.`userpass` from a VARCHAR to a TEXT Edited May 7, 2015 by Magictallguy Quote Link to comment Share on other sites More sharing options...
Dayo Posted May 6, 2015 Share Posted May 6, 2015 you could do what mtg said above but if the password is md5 update it to sha512 automaticly Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted May 6, 2015 Share Posted May 6, 2015 Kind of off topic but maybe this will give me some drive to complete it: http://makewebgames.io/showthread.php/44470-In-Prod-Enhanced-Registration Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.