Can I convert password hash from SHA256 to SALTED2MD5?

[smartmadio]

I'm using 'passwordHash: SHA256' now and for some kind of reason I need to change the passwordhash to SALTED2MD5.

I've tried to change the setting 'supportOldPasswordHash' to 'true',when I tried to login with new setting it told me that the password is wrong,but when I restored the old setting, I could login again with the same password.

Old setting:

    backend: mysql
    unLoggedinGroup: unLoggedinGroup
    passwordHash: SHA256
    doubleMD5SaltLength: 8
    supportOldPasswordHash: false

New setting:

    backend: mysql
    unLoggedinGroup: unLoggedinGroup
    passwordHash: SALTED2MD5
    doubleMD5SaltLength: 8
    supportOldPasswordHash: true

Seems like authme didn't try SHA256 when I changed passwordHash to SALTED2MD5 and enabled supportOldPasswordHash.

Need your help,thank you very much.

[snuufix]

sha256 is newer and much better hashing algorithm than md5. For more than 5 years md5 with or without salt is considered broken and unsecure because of popularity of big rainbow tables and hash collision occasions because of small length (so salts don't add much security to them, except for common password rainbow table attack). The problem with md5 is that on modern hardware you can generate billions of them in second. That setting is for old algotithms and md5 is really old and generally considered unsecure and bad practise. So the setting would work if you would upgrade from md5, not to md5. Whatever the reasons you have to downgrade, I would recommend to solve this at that end, for sake of security.

[smartmadio]

Yes, I now it.But I really need it ,because Discuz! uses SALTED2MD5 to store the password,if I want to sync password with Discuz! I have to use SALTED2MD5.

And if I want to transform from SALTED2MD5 to SHA256,it still won't work,too.

[20:22:14] [Craft Scheduler Thread - 14/WARN]: [AuthMe] Bcrypt checkpw() returned [IllegalArgumentException]: Invalid salt version
[20:22:14] [Craft Scheduler Thread - 14/WARN]: Exception in thread "Craft Scheduler Thread - 14" 
[20:22:14] [Craft Scheduler Thread - 14/WARN]: org.apache.commons.lang.UnhandledException: Plugin AuthMe v5.2-SNAPSHOT-b682 generated an exception while executing task 249
    at org.bukkit.craftbukkit.v1_8_R3.scheduler.CraftAsyncTask.run(CraftAsyncTask.java:56)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
    at fr.xephi.authme.security.HashUtils.hash(HashUtils.java:80)
    at fr.xephi.authme.security.HashUtils.md5(HashUtils.java:52)
    at fr.xephi.authme.security.crypts.IPB3.computeHash(IPB3.java:17)
    at fr.xephi.authme.security.crypts.SeparateSaltMethod.comparePassword(SeparateSaltMethod.java:22)
    at fr.xephi.authme.security.PasswordSecurity.compareWithAllEncryptionMethods(PasswordSecurity.java:72)
    at fr.xephi.authme.security.PasswordSecurity.comparePassword(PasswordSecurity.java:53)
    at fr.xephi.authme.process.login.AsynchronousLogin.process(AsynchronousLogin.java:142)
    at fr.xephi.authme.process.Management$1.run(Management.java:36)
    at org.bukkit.craftbukkit.v1_8_R3.scheduler.CraftTask.run(CraftTask.java:71)
    at org.bukkit.craftbukkit.v1_8_R3.scheduler.CraftAsyncTask.run(CraftAsyncTask.java:53)
    ... 3 more

[snuufix]

How many active users do you have? One possible workaround would be to convert their passwords when they login to website. I can give you example php code for that.

About the error: It seems that it still tries to do something with bcrypt salts, maybe referenced to #428

[smartmadio]

I have about 60-270 players online per day and 55630 registered players,so maybe it will be a big work.I'm now trying to change the code of Discuz(PHP) from $password = md5(md5($password).$salt); to $password = hash("sha256", $password);,but seems there're something wrong with it.

Now I'm providing players with two lobby servers to fix this problem.

[smartmadio]

No,maybe I'm wrong,Discuz's original algo is

$password = md5(md5($password).$salt);

Shell I change it to

$password = $sha$.$salt.$.sha256($password).$salt)

(I'm noob on php)

[ljacqu]

$password = '$SHA$' . $salt . '$' . sha256(sha256($password) . $salt);

Please try that ^

[smartmadio]

Testing on it:)

[smartmadio]

Seems php doesn't support algo like

sha256($password)

I'll have a try on

hash('sha256', '$password')

[smartmadio]

$password = '$SHA$'.$salt.'$'.hash('sha256', hash('sha256', $password) . $salt);

This seems works quite well.But I find 'salt' in AuthMe's mysql database is not 8 digit?Is sha256's salt digit is 16?

[ljacqu]

You're right—the salt length used for SHA256 is 16

[smartmadio]

Done, thank you very much.