Support ⇒ Dragonfly CMS v10 ⇒ Improve security of v9 md5 hashed passwords in v10 ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexDragonfly CMS v10

Improve security of v9 md5 hashed passwords in v10 Reply to topic


The below script is used on this website to make the old v9 passwords more secure.
If anyone ever obtains our database, the passwords are currently save enough against any attempt.

Use the below script on your own v10 website and modify it to your own liking.
You can also use it as reference for importing users+passwords from other systems without users ever need to request a new password.

/includes/dragonfly/identity/v9pass.php
<?php /* MySQL > 5.5.6 UPDATE cms_auth_identities SET auth_password = CONCAT('Dragonfly_Identity_v9pass:',SHA2(SUBSTRING(auth_password FROM 5), '256')) WHERE auth_password LIKE 'md5:%' */ class Dragonfly_Identity_v9pass { public static function verify($plain, $password) { return \Poodle\Hash::verify('sha256', md5($plain), $password); } }

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Mon Mar 02, 2015 10:50 pm; edited 1 time in total


Beside, I thought a thumb up would propagate at user level but I just realised it attach to the post, still a valid thumb up though Smile

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Do we need to run this script against our database when upgrading to V10, or should this be done as part of the install script?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


No, you don't need this script.
It is an example of 2 things:
  1. The power of the new login system (support custom password hashing)
  2. How to improve security of the old md5 passwords in MySQL 5.5.6

We could add it but....
Since not everyone is using MySQL >= 5.5.6 not everyone has better password protection.

It is better to let everyone change their passwords so that the better bcrypt is used.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Fri Apr 17, 2015 8:04 am; edited 1 time in total


For importing from other systems here's another.
Save as /includes/classes/phpass.php
<?php /* Dragonfly™ CMS, Copyright © since 2016 http://dragonflycms.org Dragonfly CMS is released under the terms and conditions of the GNU GPL version 2 or any later version This class verifies PHPass passwords. http://www.openwall.com/phpass/ It can also handle the different versions used by Drupal, Escher and phpBB3 You can import users from Drupal, Escher, Joomla, phpBB3, Typo3, WordPress and others by importing their logins like: INSERT INTO {auth_identities} (identity_id, auth_provider_id, auth_claimed_id, auth_password) SELECT user_id, 1, SHA1(LOWER(username)), 'PHPass:'||password FROM {users} WHERE CAST(password AS BINARY) REGEXP '^U?\$([HPQS])\$'; */ abstract class PHPass { private static $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz', $algos = array( 'H' => 'md5', // phpBB3 'P' => 'md5', // phpass 'Q' => 'sha1', // Escher CMS 'S' => 'sha512', // Drupal ); private static function encode64($input) { $count = strlen($input); $output = ''; $i = 0; while ($i < $count) { $value = ord($input[$i++]); $output .= static::$itoa64[$value & 0x3f]; if ($i < $count) { $value |= ord($input[$i]) << 8; } $output .= static::$itoa64[($value >> 6) & 0x3f]; if ($i++ < $count) { if ($i < $count) { $value |= ord($input[$i]) << 16; } $output .= static::$itoa64[($value >> 12) & 0x3f]; if ($i++ < $count) { $output .= static::$itoa64[($value >> 18) & 0x3f]; } } } return $output; } public static function verify($password, $stored_hash) { if ('U$' == substr($stored_hash, 0, 2)) { // May be a Drupal updated password from user_update_7000(). Such hashes // have 'U' added as the first character and need an extra md5() $stored_hash = substr($stored_hash, 1); $password = md5($password); } if (!preg_match('#^\\$([HPQS])\\$([a-zA-Z0-9\\./])(.{8})#', $stored_hash, $m)) { return false; } $algo = static::$algos[$m[1]]; $count_log2 = strpos(static::$itoa64, $m[2]); if ($count_log2 < 7 || $count_log2 > 30) { return false; } $count = 1 << $count_log2; $hash = hash($algo, $m[3] . $password, true); do { $hash = hash($algo, $hash . $password, true); } while (--$count); return \Poodle\Hash::equals($stored_hash, substr($m[0] . static::encode64($hash), 0, 55)); } }

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Sat Jan 06, 2018 6:54 pm; edited 2 times in total


And for MyBB
Save as /includes/dragonfly/mybb/login.php
<?php /********************************************* * CPG Dragonfly™ CMS ********************************************* Copyright © since 2010 by CPG-Nuke Dev Team http://dragonflycms.org Dragonfly is released under the terms and conditions of the GNU GPL version 2 or any later version To use, you must import all users from your MyBB forum, and execute: INSERT INTO cms_auth_identities (identity_id, auth_provider_id, auth_claimed_id, auth_password) SELECT uid, 1, SHA1(LOWER(username)), CONCAT('Dragonfly_MyBB_Login:',salt,'-',password) FROM mybb_users; */ class Dragonfly_MyBB_Login { public static function verify($plain_password, $encrypted_password) { list($salt, $password) = explode('-', $encrypted_password, 2); return (md5(md5($salt).md5($plain_password)) == $encrypted_password); } }

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Sat Jan 06, 2018 6:55 pm; edited 1 time in total

All times are UTC


Jump to: