salted hashed hashed passwords

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

salted hashed hashed passwords

Paul Sanderson
Hi

I am trying to create a program to automate the transfer of users from
an existing forum into my wiki.

As far as I can see I could get away with adding the following to the
users table

username
e-mail address
password (the list is password protected)

I ma not a php programmer so I thought ity might be easier to do this
in C++ and gave written the basic elements to do the above.

The problem comes when adding the password. As far as I can see
mediaWiki expects a salted hash of the hash of a password, the salt is
the userID. i.e. if I create a user who has a random password (say
123abc) and a userID of say 357 then I would do the following

Create a random password (123abc)

Hash it

prepend the user ID and a dash(-), so we would have, some thing like

357-abc343acde... etc.

We then hash this string again, giving the final hash

When I do this on a test case I do not get a matching hash - what am I
doing wrong?
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: salted hashed hashed passwords

Rick DeNatale
On 2/8/06, Paul Sanderson <[hidden email]> wrote:

> Hi
>
> I am trying to create a program to automate the transfer of users from
> an existing forum into my wiki.
>
> As far as I can see I could get away with adding the following to the
> users table
>
> username
> e-mail address
> password (the list is password protected)
>
> I ma not a php programmer so I thought ity might be easier to do this
> in C++ and gave written the basic elements to do the above.
>
> The problem comes when adding the password. As far as I can see
> mediaWiki expects a salted hash of the hash of a password, the salt is
> the userID. i.e. if I create a user who has a random password (say
> 123abc) and a userID of say 357 then I would do the following
>
> Create a random password (123abc)
>
> Hash it
>
> prepend the user ID and a dash(-), so we would have, some thing like
>
> 357-abc343acde... etc.
>
> We then hash this string again, giving the final hash
>
> When I do this on a test case I do not get a matching hash - what am I
> doing wrong?

It's been a while since I've looked at the code, but I'm pretty sure
that you have too many hashes.  Try just prepending the user ID and
dash to the clear password and hash that.

--
Rick DeNatale

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: salted hashed hashed passwords

Brion Vibber
In reply to this post by Paul Sanderson
Paul Sanderson wrote:

> The problem comes when adding the password. As far as I can see
> mediaWiki expects a salted hash of the hash of a password, the salt is
> the userID. i.e. if I create a user who has a random password (say
> 123abc) and a userID of say 357 then I would do the following
>
> Create a random password (123abc)
>
> Hash it
>
> prepend the user ID and a dash(-), so we would have, some thing like
>
> 357-abc343acde... etc.
>
> We then hash this string again, giving the final hash
Sounds right. Make sure that:
* you are using MD5
* hex digits are lowercase
* the hashed object is UTF-8 text, and you're not including the NULL byte or any
other trailing bytes from an array

For your example of id 357 and password "123abc" you should get:

$ php -r 'echo md5("357-" . md5("123abc")) . "\n";'
397981aabef0194a3b76c1319c496659

-- brion vibber (brion @ pobox.com)


_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

signature.asc (257 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: salted hashed hashed passwords

Paul Sanderson
Thanks for that

I was using upper case hex digits - it all works now.
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l