Hello,
most needed changes are done now - I hope this will be my last question :-)
We have a database of accounts (players), and only people who have player accounts can use the (new) forums. In this database the passwords (player account is identical to the Phorum access) are stored in MD5 - but slightly different:
The password in our Gameserver is:
md5("accountname"."password")
In Phorum it is
md5("password");
I want the accounts in Phorum for several reasons, so external authentication is no option. I also have a script which imports our player accounts into Phorum, implemented as pure console script, as all the scripts under /scripts. (Which implies, that we also have a cleartext database of passwords)
So no problem - but: The cleartext database is buried deeply in the system (as it should be) and maintaining is a bigger task than it would be - if... (Note: Changing ones password in the game should also update the password for the forums).
My Question: Would it be a big problem, if I change the few places where Phorum checks cleartext passwords against the stored md5 hash, so that the new algorithm is identical? I am aware, that this would be a 'hack', I did change several templates, but none of Phorums core code. But there are very few places where these changes would have to be done, on the other hand...
For changing the password storage in the game server software: Big task, digging through C++ code, and it would undo a change already done some time before - I would prefer to leave it as it is.
As I am no expert with this things - are the passwords safer with md5("accountname"."password")? Unsafer? I heard something about 'salting' the md5 hash.
Could I have an opinion to help me decide?
Thank you
OWHorus
my blog 
linkedin profile 
secret sauce