After migration passwords...



  • Hi !
    Me again, i'm hitting a huge wall before finnaly migrate my whole forum (http://robocraftgame.fr/forum) to NodeBB, after @bentael amazing work on a ipb migration tool, we are forced to re-create all users passwords to avoid problem (an impossible) way to convert MD5 to bcrypt, so i'm here to request, a "simple" plugin :
    1 : we convert the forum with @bentael tool, all password are set to "undefined" or something else.
    2 : a converted user try to log in, they enter his old password and, he, they don't work, now the plugin check the "encrypted" password and see there is set to "undefined"
    3 : a big popup, or something else, pop up and say to the user he need to re-create the password.
    4 : he agree, and a reset-password mail is sent, wich contain the procedure to get back his account 🙂

    Thank for reading !



  • @Technowix I'm not sure if this is a possible solution, but what about adding in an SSO-Auth plugin like 'nodebb-plugin-sso-google' and having users login via google temporarily. Then, once they log in through google they can go to their profile page and set their password to whatever they want. I'm assuming if it's undefined then they can leave the 'current password' field blank when setting their new password on the profile>edit page.

    It would go like this:

    1. Install some nodebb sso plugin (maybe facebook and google) <-- DO NOT USE TWITTER
    2. Turn off local logins
    3. Have users login via facebook or google
    4. Have users set new passwords on their profile page
    5. Turn local logins back on and remove the facebook and google sso plugins

    What you're suggesting is a bit more complicated than you think it is. Also, what would stop someone from just trying to log in as any user and setting a new password?

    EDIT: The users have to login via google or facebook with the same email they use for your site for this to work properly. If not, it will just create a new user...



  • Eh, thank for the reply, but that not possible, i have near 650 member, and some won't connect every weeks, so i want a "durable" solution, that i can run for like one year 🙂 !
    I just want to notify user is they came from the old forum, in fact, i just want from they reset they passwords ^^
    Thank anyway !
    edit too: this is not easy for everybody, i have a lot of "pretty old" member, and more or less didn't want to use facebook or google...



  • @Technowix

    Hmm...what about just putting a banner on your login page telling users to reset their passwords via the 'forgot password' link?

    Very minor inconvenience...



  • I tried that, but not everybody see it the first (and catastrophic) first try ^^' this is not really a geeky community...



  • @Technowix

    Well, one other solution would be to dump the md5 passwords and crack them with 'john the ripper' then spend a day typing them in manually for each user...if you have a few people helping it would only take 2-3 hours.

    Just a thought...



  • @mootzville x'D i think this is not a real solution, and not very friendly to the privacy of our users ^^


  • Global Moderator

    I did recommend a possible solution to this a few months back, but nothing seems to have happened with it. So it's probably not high on the priorities.

    My "solution" was to bring the md5/SHA-1 password over dependant on the software import plugin used seperate to the bcrypt. When the user tries to login with their old password, it would try to decrypt with bcrypt, if bcrypt is null (which it would be) then it would attempt the md5 or SHA-1 field. If that passed, you've got the plain text password, which can be encrypted to bcrypt, and the MD5/SHA-1 field can then be nulled.

    This is the recommended way of handling something like this when changing security protocols, it would require a bit of work, MD5 is pretty simple, but SHA-1 for something like SMF would require the decryption process be added in.



  • @a_5mith Arh, with ipboard, every users got they personal ecryption key in md5, i don't know if this is a problem, but he, and i don't know how to program x'D i would likely pay someone if i get my first bill from adsense a day, but for now, i can't :'D
    And i think @bentael won't want to spend more of his time on pre-decryption of password :'D



  • @a_5mith's suggestion is yet another way to do this, but at the end of the day if you want to convert the passwords they have to become plain text along the way...

    Also, regarding their privacy...if they are md5 they're basically as good as plain text anyway, so no reason not to convert them...

    Otherwise, you should really consider an sso-plugin or login warning...there's probably no other way...

    You basically have two options:

    1. Inconvenience yourself and convert the passwords
    2. Inconvenience your users and have them update their passwords

    Either way someone will be inconvenienced...it sucks but it's true...

    I would doubt someone is going to provide a one-click fix for this.



  • @mootzville said:

    @a_5mith's suggestion is yet another way to do this, but at the end of the day if you want to convert the passwords they have to become plain text along the way...

    Also, regarding their privacy...if they are md5 they're basically as good as plain text anyway, so no reason not to convert them...

    Otherwise, you should really consider an sso-plugin or login warning...there's probably no other way...

    You basically have two options:

    1. Inconvenience yourself and convert the passwords
    2. Inconvenience your users and have them update their passwords

    Either way someone will be inconvenienced...it sucks but it's true...

    I would doubt someone is going to provide a one-click fix for this.

    IPB use the MD5(MD5($salt) . MD5($password)) hashing algorithm. IMO the better way would be to try logging into the old database first with the IPB algo, if it succeeds then hash the new password with bcrypt and store it. Not sure if you can hook into the login system so it will probably require editing the source.


  • Admin

    @xbenjii Yes, I suppose that is the difficult part of migrating passwords, is that all of these old forum softwares use different ways of hashing passwords (all using md5, of course, heh).

    Not just plain MD5, but some with salts, some with md5 hashed salts, some with salts pre-pended then hashed, some post-pended, some salted a whole bunch of times... the list goes on to infinity XD


  • Plugin & Theme Dev

    @Technowix

    Part of your conversion to NodeBB is a more secure encryption algorithm. Not being to convert passwords is not an expensive price.

    Any other solution will take some time and wont be perfect nor as secure as NodeBB was designed to be.

    Don't get me wrong, I am not against a plugin-solution (SHA1 then fallback to MD5) if the users want to have it but I don't think it's that easy

    @a_5mith way's is possible, but the problem that you need that MD5 comparison to go through the original forum logic (adding salt and such), just like @xbenjii and @julian mentioned.

    I guess one way I can do that is the following (I am also brainstorming here so it's verbose)

    • While importing, I can store the old MD5 hash next to each user's record in the NodeBB DB i.e. user._imported_password - I do it anyways now, (temporarily) for other fields such as _imported_uid, _imported_signature and few others to convert post the import process.

    • Each exporter module would need to add an extra api function, i.e. MyExporter.comparePassword the implementation of this one is forum specific, so IPB would be different then SMF, and PHPBB etc..

    • use a NodeBB filter:user.login hook to intercept the login process and compare the user entered plain text password to the one stored _imported_password, ONLY if the user.password is NULL && _imported_password is still there && nodebb-plugin-import is still activated && exporter.comparePassword is implemented.

    • if the password comparison passes, as @a_5mith suggested, update the user's password using the code NodeBB functions, if not, let NodeBB tell the user that the password is incorrect.

    • Then introduce some sort of action:password.updated (would need core NodeBB changes) hook to fire another action in the plugin that deletes the user._imported_password and never talk about it again, this way if user doesn't even bother with logging in and decides to reset their password, the same logic occurs anyways and the _imported_password also gets deleted.

    I can implement all that in few days (but cant start till few weeks), however this solution is ONLY possible if each ExporterModule implemented the comparePassword function correctly, which means digging into each Forum source and write it in JavaScript, this is the challenging part really and if you're willing to help, I'll take it.

    As of today

    The importer, by default (there is a hidden random password generator config) will create all users with null passwords, so when they try their new passwords, it wont work, and they are forced to reset it.

    This is what I suggest you do if you want to convert before all this

    After importing, open the "Post-Import tools", download users.csv and use this web tool to email your users an "Announcement" email introducing your re-designed forum with the caveat that everyone needs to reset their passwords "in order to increase security"



  • Ewh, this look fancy :') but hard yes, this give you even more work 😕 !
    Also, you app look fancy, and i think i will do that ^^' but, if anybody don't look his mail before goind on the forum... arh


  • Plugin & Theme Dev

    I will attempt to do that as soon as I can take a breath from my current work load.
    https://github.com/akhoury/nodebb-plugin-import/issues/64



  • @bentael Your a god, thank ! 🙂



  • What's up on it @bentael ? 😄


  • Plugin & Theme Dev

    nothing yet man, I am seriously buried with work between my day job and the nodebb importer backlog. Maybe in Feb I will take a look.



  • @bentael Okay, thank ❤ ! We can wait one month more i think 😛




Star

Looks like your connection to NodeBB was lost, please wait while we try to reconnect.