[web2py] Re: migrate passwords from phpBB

2011-12-19 Thread Anthony 
I suppose the salt may be attached to the hashed password, so you may have 
to pull off the salt, use it to hash the password, then add it to the hash. 
The .check_password() method probably does that automatically. Maybe you 
can just use that method directly.

Anthony

On Monday, December 19, 2011 10:45:17 AM UTC-5, greenguerilla wrote:
>
> Hi Anthony,
>
> I'm using this python module which claims to mimic the encyption used
> in phpBB:
> https://github.com/exavolt/python-phpass
> It seems to be working fine so far.
>
> Here are some examples:
>
> In [11]: import phpass
>
> In [12]: from phpass import PasswordHash
>
> In [13]: p = PasswordHash()
>
> In [14]: password = 'mypassword'
>
> In [15]: hash1 = p.hash_password(password)
>
> In [16]: hash2 = p.hash_password(password)
>
> In [17]: hash3 = p.hash_password(password)
>
> In [18]: hash1 == hash2
> Out[18]: False
>
> In [19]: hash1 == hash3
> Out[19]: False
>
> In [20]: hash2 == hash3
> Out[20]: False
>
> In [22]: p.check_password(password, hash1)
> Out[22]: True
>
> In [23]: p.check_password(password, hash2)
> Out[23]: True
>
> In [24]: p.check_password(password, hash3)
> Out[24]: True
>
> In [25]: wrongHash = p.hash_password('notmypassword')
>
> In [26]: p.check_password(password, wrongHash)
> Out[26]: False
>
>
> With regard to the issue of the hash being different every time, I
> reckon it is because this algorithm uses a salt (http://
> en.wikipedia.org/wiki/Salt_%28cryptography%29). Apparently it is more
> secure...
>
> Regards,
>
> John
>
> On Dec 16, 4:07 pm, Anthony  wrote:
> > > Unfortunately this solution will not work for me as I get a different
> > > hash every time I call the hash password function for the same
> > > plaintext password.
> >
> > What hash function are you using. If you use the same key, it should 
> always
> > return the same output for a given input.
>
>

[web2py] Re: migrate passwords from phpBB

2011-12-19 Thread greenguerilla 
Hi Anthony,

I'm using this python module which claims to mimic the encyption used
in phpBB:
https://github.com/exavolt/python-phpass
It seems to be working fine so far.

Here are some examples:

In [11]: import phpass

In [12]: from phpass import PasswordHash

In [13]: p = PasswordHash()

In [14]: password = 'mypassword'

In [15]: hash1 = p.hash_password(password)

In [16]: hash2 = p.hash_password(password)

In [17]: hash3 = p.hash_password(password)

In [18]: hash1 == hash2
Out[18]: False

In [19]: hash1 == hash3
Out[19]: False

In [20]: hash2 == hash3
Out[20]: False

In [22]: p.check_password(password, hash1)
Out[22]: True

In [23]: p.check_password(password, hash2)
Out[23]: True

In [24]: p.check_password(password, hash3)
Out[24]: True

In [25]: wrongHash = p.hash_password('notmypassword')

In [26]: p.check_password(password, wrongHash)
Out[26]: False


With regard to the issue of the hash being different every time, I
reckon it is because this algorithm uses a salt (http://
en.wikipedia.org/wiki/Salt_%28cryptography%29). Apparently it is more
secure...

Regards,

John

On Dec 16, 4:07 pm, Anthony  wrote:
> > Unfortunately this solution will not work for me as I get a different
> > hash every time I call the hash password function for the same
> > plaintext password.
>
> What hash function are you using. If you use the same key, it should always
> return the same output for a given input.

[web2py] Re: migrate passwords from phpBB

2011-12-16 Thread Anthony 

>
> Unfortunately this solution will not work for me as I get a different
> hash every time I call the hash password function for the same
> plaintext password.
>
What hash function are you using. If you use the same key, it should always 
return the same output for a given input.

[web2py] Re: migrate passwords from phpBB

2011-12-16 Thread greenguerilla 
Hi,

I tested using a custom login_onvalidation method:

auth.settings.login_onvalidation = PHPBBDECRYPT()

Using this method I get the form and I can manipulate it's variables
prior to
returning the form, however as far as I can see I would be expected to
return the hashed value that will later be compared with the hashed
value in the database:

if temp_user[passfield] == form.vars.get(passfield, ''):

Unfortunately this solution will not work for me as I get a different
hash every time I call the hash password function for the same
plaintext password.
What I need to do is use a special function called check password
which uses some bcrypt magic to verify that a given plaintext password
corresponds to a given hash.

Is there somewhere outside of the Auth class where I can put code
which compares the stored hash in the database with the submitted
plaintext password in order to validate the user by returning True or
False?

Thanks,

John

On Dec 14, 4:37 pm, greenguerilla 
wrote:
> Hi Anthony,
>
> Thank you for your reply. I will investigate these options and will
> let the group know how I get on.
>
> Cheers,
>
> John
>
> On Dec 13, 5:22 pm, Anthony  wrote:
>
>
>
>
>
>
>
> > On Tuesday, December 13, 2011 10:50:15 AM UTC-5, greenguerilla wrote:
>
> > > Hi,
>
> > > I have also been trying to migrate existing user accounts fromphpbb
> > > to a web2py system.
> > > The below solution works well for registering new users, however in
> > > order to successfully validate these passwords during the login
> > > process
> > > I made some changes to the framework itself:
>
> > > I have added into gluon/tools.py at line 1753 (latest stable version
> > > of web2py) at the end of the 'user is
> > > in db' clause of the login method of the Auth class.
>
> > > if self.phpbb_checkpw(temp_user[passfield], request.vars[passfield]):
> > >     user = temp_user
>
> > > This phpbb_checkpw function returns True or False depending on whether
> > > or not the plaintext passwords (from form) matches the stored hash.
> > > This is an awkward way to do things and I am wondering if there are
> > > any hooks I can avail of in order to validate a user entered plaintext
> > > password against the stored hash and thus keep my custom code outside
> > > of the framework?
>
> > As suggested earlier, can you just create a custom validator for the
> > password field that hashes it, so it will match the stored hash?
>
> > Another option is using auth.settings.login_onvalidation, which is a
> > function that takes the login form (and can manipulate the form vars) right
> > after validation (but before the rest of the login logic).
>
> > Anthony

[web2py] Re: migrate passwords from phpBB

2011-12-14 Thread greenguerilla 
Hi Anthony,

Thank you for your reply. I will investigate these options and will
let the group know how I get on.

Cheers,

John

On Dec 13, 5:22 pm, Anthony  wrote:
> On Tuesday, December 13, 2011 10:50:15 AM UTC-5, greenguerilla wrote:
>
> > Hi,
>
> > I have also been trying to migrate existing user accounts from phpbb
> > to a web2py system.
> > The below solution works well for registering new users, however in
> > order to successfully validate these passwords during the login
> > process
> > I made some changes to the framework itself:
>
> > I have added into gluon/tools.py at line 1753 (latest stable version
> > of web2py) at the end of the 'user is
> > in db' clause of the login method of the Auth class.
>
> > if self.phpbb_checkpw(temp_user[passfield], request.vars[passfield]):
> >     user = temp_user
>
> > This phpbb_checkpw function returns True or False depending on whether
> > or not the plaintext passwords (from form) matches the stored hash.
> > This is an awkward way to do things and I am wondering if there are
> > any hooks I can avail of in order to validate a user entered plaintext
> > password against the stored hash and thus keep my custom code outside
> > of the framework?
>
> As suggested earlier, can you just create a custom validator for the
> password field that hashes it, so it will match the stored hash?
>
> Another option is using auth.settings.login_onvalidation, which is a
> function that takes the login form (and can manipulate the form vars) right
> after validation (but before the rest of the login logic).
>
> Anthony
>
>
>
>
>
>
>
>

[web2py] Re: migrate passwords from phpBB

2011-12-13 Thread Anthony 
On Tuesday, December 13, 2011 10:50:15 AM UTC-5, greenguerilla wrote:
>
>
> Hi,
>
> I have also been trying to migrate existing user accounts from phpbb
> to a web2py system.
> The below solution works well for registering new users, however in
> order to successfully validate these passwords during the login
> process
> I made some changes to the framework itself:
>
> I have added into gluon/tools.py at line 1753 (latest stable version
> of web2py) at the end of the 'user is
> in db' clause of the login method of the Auth class.
>
> if self.phpbb_checkpw(temp_user[passfield], request.vars[passfield]):
> user = temp_user
>
> This phpbb_checkpw function returns True or False depending on whether
> or not the plaintext passwords (from form) matches the stored hash.
> This is an awkward way to do things and I am wondering if there are
> any hooks I can avail of in order to validate a user entered plaintext
> password against the stored hash and thus keep my custom code outside
> of the framework?
>
As suggested earlier, can you just create a custom validator for the 
password field that hashes it, so it will match the stored hash?

Another option is using auth.settings.login_onvalidation, which is a 
function that takes the login form (and can manipulate the form vars) right 
after validation (but before the rest of the login logic).

Anthony

>

[web2py] Re: migrate passwords from phpBB

2011-12-13 Thread greenguerilla 

Hi,

I have also been trying to migrate existing user accounts from phpbb
to a web2py system.
The below solution works well for registering new users, however in
order to successfully validate these passwords during the login
process
I made some changes to the framework itself:

I have added into gluon/tools.py at line 1753 (latest stable version
of web2py) at the end of the 'user is
in db' clause of the login method of the Auth class.

if self.phpbb_checkpw(temp_user[passfield], request.vars[passfield]):
user = temp_user

This phpbb_checkpw function returns True or False depending on whether
or not the plaintext passwords (from form) matches the stored hash.
This is an awkward way to do things and I am wondering if there are
any hooks I can avail of in order to validate a user entered plaintext
password against the stored hash and thus keep my custom code outside
of the framework?

Thanks!

John




On Dec 12, 3:24 pm, Massimo Di Pierro 
wrote:
> yes.
>
> On Dec 12, 5:56 am, thodoris  wrote:
>
>
>
>
>
> > I am trying to migrate users fromphpBBwhose passwords have been encrypted
> > with php_pass. There is a python module that mimics the functionality of
> > php_pass and i am wondering what is the best way to override the default
> > encryption of web2py.
>
> > Is it sufficient to override CRYPT() using something like:
>
> > db.auth_user.password.requires = MyCrypt()
>
> > Thanks

[web2py] Re: migrate passwords from phpBB

2011-12-12 Thread Massimo Di Pierro 
yes.

On Dec 12, 5:56 am, thodoris  wrote:
> I am trying to migrate users from phpBB whose passwords have been encrypted
> with php_pass. There is a python module that mimics the functionality of
> php_pass and i am wondering what is the best way to override the default
> encryption of web2py.
>
> Is it sufficient to override CRYPT() using something like:
>
> db.auth_user.password.requires = MyCrypt()
>
> Thanks