Firefox PHP

Phorum 5.2.18 - Question about password storage

Posted by OWHorus 
Phorum 5.2.18 - Question about password storage
October 13, 2011 08:16PM
Hello,

most needed changes are done now - I hope this will be my last question :-)

We have a database of accounts (players), and only people who have player accounts can use the (new) forums. In this database the passwords (player account is identical to the Phorum access) are stored in MD5 - but slightly different:

The password in our Gameserver is:
md5("accountname"."password")

In Phorum it is
md5("password");

I want the accounts in Phorum for several reasons, so external authentication is no option. I also have a script which imports our player accounts into Phorum, implemented as pure console script, as all the scripts under /scripts. (Which implies, that we also have a cleartext database of passwords)

So no problem - but: The cleartext database is buried deeply in the system (as it should be) and maintaining is a bigger task than it would be - if... (Note: Changing ones password in the game should also update the password for the forums).

My Question: Would it be a big problem, if I change the few places where Phorum checks cleartext passwords against the stored md5 hash, so that the new algorithm is identical? I am aware, that this would be a 'hack', I did change several templates, but none of Phorums core code. But there are very few places where these changes would have to be done, on the other hand...

For changing the password storage in the game server software: Big task, digging through C++ code, and it would undo a change already done some time before - I would prefer to leave it as it is.

As I am no expert with this things - are the passwords safer with md5("accountname"."password")? Unsafer? I heard something about 'salting' the md5 hash.

Could I have an opinion to help me decide?

Thank you

OWHorus
Re: Phorum 5.2.18 - Question about password storage
October 13, 2011 09:26PM
Easy! Phorum modules FTW.
user_authenticate hook to the rescue.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Phorum 5.2.18 - Question about password storage
October 13, 2011 09:33PM
Hello and thank you,

I saw this API - but somehow I thought it would disable user profiles and other account information (and fetch them externally). But I have several custom entries in the profile.

Obviously this is only the password check - I misread this. Thank you for the hint.

This will work, I think - I'll try it out.

OWHorus
Sorry, only registered users may post in this forum.

Click here to login