0

I have inherited a site with 3000 users. I want to import all of these users into a new site's database that is based on Doplphin (Boonex).

I have attempted to import the data. User data imports successfully, but not their passwords.

All the passwords are encrypted.

In the old database i am not sure what type of encryption has been used, at a guess i think they are not MD5.

This is the format of one of the passwords currently stored in the Old database.

$2a$10$M/HQVUTyxrdbiwNjokJoUOIbUAK71yvYXKPe1YdFgS2I3Pw6Ojlju

How can I get these passwords to work correctly when imported into the new database?

Is there any method I need to know about to import passwords into a new database that is working within a different framework?

gregwhitaker
  • 13,124
  • 7
  • 69
  • 78
GarytheWorm
  • 79
  • 6

1 Answers1

3

That password is BCrypt hashed. (i can tell from the $2a$10$...)

Hopefully your platform has a:

BCrypt.CheckPassword(savedHash, enteredPassword);

function.

From my answer over here:

A BCrypt hash string looks like:

$2a$10$M/HQVUTyxrdbiwNjokJoUOIbUAK71yvYXKPe1YdFgS2I3Pw6Ojlju
$==$==$======================-------------------------------

Where

  • 2a: Algorithm Identifier (BCrypt)
  • 10: Cost Factor (1,024 rounds)
  • M/HQVUTyxrdbiwNjokJoUO: OpenBSD-Base64 encoded salt (22 characters, 16 bytes)
  • IbUAK71yvYXKPe1YdFgS2I3Pw6Ojlju: OpenBSD-Base64 encoded hash (31 characters, 24 bytes)

Edit: i just noticed these words fit exactly. i had to share:

$2a$10$TwentytwocharactersaltThirtyonecharacterspasswordhash
$==$==$======================-------------------------------

But BCrypt was created by guys who were working on OpenBSD. OpenBSD already defines a format for their password file:

$[HashAlgorithmIdentifier]$[AlgorithmSpecificData]

This means that the "bcrypt specification" is inexorably linked to the OpenBSD password file format. And whenever anyone creates a "bcrypt hash" they always convert it to an ISO-8859-1 string of the format:

$2a$[Cost]$[Base64Salt][Base64Hash]

A few important points:

  • 2a is the alogithm identifier
    • 1: MD5
    • 2: early bcrypt, which had confusion over which encoding passwords are in (obsolete)
    • 2a: current bcrypt, which specifies passwords as UTF-8 encoded
  • Cost is a cost factor used when computing the hash. The "current" value is 10, meaning the internal key setup goes through 1,024 rounds
    • 10: 210 = 1,024 iterations
    • 11: 211 = 2,048 iterations
    • 12: 212 = 4,096 iterations

  • the base64 algorithm used by the OpenBSD password file is not the same Base64 encoding that everybody else uses; they have their own:

    Regular Base64 Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
    BSD Base64 Alphabet: ./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

    So any implementations of bcrypt cannot use any built-in, or standard, base64 library

Armed with this knowledge, you can now verify a password correctbatteryhorsestapler against the saved hash:

$2a$12$mACnM5lzNigHMaf7O1py1O3vlf6.BA8k8x3IoJ.Tq3IB/2e7g61Km
Community
  • 1
  • 1
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
  • Thanks so now i know that they are BCrypt hash. Do you have any advice of how i can get these password to work in a different database and environment? – GarytheWorm Nov 10 '12 at 18:02
  • You have to use BCrypt to *verify* their passwords. You will never know the user's current passwords (which is the entire point: nobody should ever be able to see anyone's password). In your new system you will have to get ahold of a BCrypt implementation. When the Boonex system asks you to validate a set of credentials (i.e. *username*, *password*) you will use BCrypt to verify the password. – Ian Boyd Mar 12 '15 at 14:57