Geek Answers Handbook

PHPBB Password Hashing Replication in ASP.net C #

I am using phpbb 3.0.8 at the moment. It has 3,000 users and about 60,000 posts. I am changing the forum to another one written on the classic ASP (I know that people will refuse this, but I have good reasons).

My site is written in ASP.net. The classic ASP forum has an API to connect to it. I installed all this and it works great. I wrote my own registration form.

I want to copy all user accounts. There is a table in the current forum:

Username | Password | Hash | Salt

I have overridden the classic ASP hashing method, now I use the ASP.net Security.SHA1 hash. The password is stored as SHA1(rawpassword + salt) .

My plan is to keep new fields next to the current ones:

 UserID | Password | Hash | Salt | PHPBBHash

When a user logs in, if the hashh field is set to PHPBB, he hashes the password using the PHPBB hash. Then, if the login is completed, it deletes the PHPBBHash field and creates the current hash values โ€‹โ€‹of the systems. So this is a smooth transition from PHPBB to the new forum and no one is losing their accounts.

My problem is, given the PHPBB hash, username and password in ASP.net C #, how can I check the PHPBB hash? How does he calculate this?

My concern is also that the classic ASP hash function claimed to be SHA1, but it gave different results to Securiy.SHA1 .

Edit

I put generosity on it, if someone can give me a final solution, I appreciate the answer related to resources, but I'm still trying to understand it.

Test case

Raw password:

 blingblangblaow222

In the PHPBB3 database:

 username: Tom username_clean: tom user_password: $H$9ojo08A3LuhnkXR27p.WK7dJmOdazh0 user_passchg: 1301433947 user_form_salt: 637f480dfdab84ef

Using the sample code from Vishalgiris answer, we do the following:

 phpBB.phpBBCryptoServiceProvider cPhpBB = new phpBB.phpBBCryptoServiceProvider(); string remoteHash = "$H$9ojo08A3LuhnkXR27p.WK7dJmOdazh0"; bool result = cPhpBB.phpbbCheckHash("blingblangblaow222", remoteHash); Response.Write("<BR><BR><BR>" + result);

This really returns true. Super! But does anyone know why this works? I'm confused, he doesn't seem to be taking it into account.

+7
source share
3 answers

It looks like your answer is here in the phpBB community , however, as you already know, this is a salty hash, so you need to use the provided function in the link to check your password, because the hash will change whenever it is generated.

Please ignore if you have already tried the code provided in the link.

Hope this helps ...

Another option is to create a separate php page / service, perform hashing or hash confirmation. the phpbb_hash function and the phpbb_check_hash function check are used to create, and these functions can be exposed by ASP or ASP.NET through a page or service.

+3
source

It looks like PHPBB checks passwords through the phpbb_check_hash function in the source functions.php file. It looks like it usually relies on _hash_crypt_private to do the real work. The function has a length of 57 lines (including a large number of spaces), so it must be relatively straight in order to convert it to C #.

+6
source

You can also configure the current Phpbb system to store the SHA1 hash of the password entered during login. If you run this setting for a while, you will have the most active users, and this will save you from the need to implement a complex algorithm. Inactive users can simply request a new password when they cannot log in, or you could give them a new password and send it to them (you can select them at the last login date stored in the Phpbb database).

You can also use the phpbb auto-login feature, depending on your needs. Users who use this feature may not even know their passwords, and therefore they will have problems logging into your new system if it does not support automatic login.

+2
source

More articles:


All Articles