I’m an absolute noob at encryption so forgive me if I’m missing something simple here. I’m trying to register new users to my site into my XenForo forum. From what I can find XenForo uses bcrypt with a cost factor of 10. I’ve figured out how to use bcrypt, but there doesn’t seem to be a cost factor option and the data it’s putting into the table is smaller than what’s created when you register on the forum manually. User 1 below created manually, the other two via Wappler. I can log into the first, but the other two return wrong password.
Any ideas?
Thanks
Heather
@Teodor - After a bit of research I assume Wappler is using some standard cost factor for bcrypt? I’m guessing it’s set at 6? Would it be possible to get this as an option? Thanks.
Are you trying to generate a password hash compatible with the one of XenForo or would you like to validate the hash? I did a small search and the default cost factor for XenForo is indeed 10, but it is configurable and also other cost factors can be validated.
btw the default in Wappler is also 10
Thanks Patrick. I’ll have a look.
I don’t have access to their php code, but it is possible that the password is also salted, so you need to know the salt and how they salted it. Also I see on the screenshot it is stored as a blob instead of a string, perhaps they have an extra conversion step for storing it in the db.
Yikes! This security stuff is complicated. Thanks for looking into it.
Problem is that there is no standard that says how you have to implement it, so everyone implements it differently.
I’m thinking I might be better off to register users in XenForo and use that in my app, rather than the other way around. Seems like they have all the security stuff well sorted so that might make more sense than me trying to recreate the wheel.
I think I’ve found how they hash in the functions_users.php file.
$salt = generate_salt();
$hash = md5(md5($salt).md5($password));
function generate_salt()
{
return random_str(8);
}
@patrick - do you know how this would translate into Wappler?
Thanks.
Do you have an old version of the forum, the md5 hashing isn’t really secure nowadays. Expression for the above would be (salt.md5() + password.md5()).md5().
I wouldn’t have thought so as I just bought it a couple weeks ago.
I must have found some code that’s no longer used as that didn’t work. Hmmm
