Features

How to issue new passwords in vBulletin

If your vBulletin site has been the subject of intrusion it's a wise precaution to reissue passwords to your users. Here's how to change all of the passwords in vBulletin 3.

The vBulletin forum software stores the user's password as an encrypted hash in the database, along with a unique salt for each user. Therefore,

1. Setup your configuration

At the top of your script, add the following section to make some constants we can use in our database connection functions.

if(!defined('HOSTNAME'))define('HOSTNAME','localhost');
if(!defined('USERNAME'))define('USERNAME','usernamehere');
if(!defined('PASSWORD'))define('PASSWORD','passwordhere');
if(!defined('DATABASE'))define('DATABASE','databasehere');

2. Add a random password function

In order to create new passwords for your users you'll need a little function to create a random password. You can use anything you like for this. This is the one I used, which allows you to set the length and the complexity of the password when the function is called.

3. Connect to the database

Next, you'll need to connect to the server and select the vBulletin database. We're using the constants we created earlier on in this script.

mysql_pconnect(HOSTNAME,USERNAME,PASSWORD) or die("Could not connect to server");
mysql_select_db(DATABASE) or die("Could not select database");

4. Select the data

Now you're connected you'll need to select the userid, username, password and salt. The salt is unique to each user, so we need this to ensure the password we create works for them. This is the first chunk of code.

$query = "SELECT userid, username, password,salt FROM user ORDER BY userid";
$result = mysql_query($query);

while($row = mysql_fetch_array($result)){

    // Fetch user's old password
    $userid = stripslashes($row['userid']);
    $username = stripslashes($row['username']);
    $password = stripslashes($row['password']);
    $salt = $row['salt'];

5. Now, generate the new password

In vBulletin a user's password is encrypted with md5 encryption (twice) and the user's salt. Here we're running our function to generate a password with a length of nine characters and a complexity of eight, and then encrypting it with md5 and the user's specific salt, then encrypting that.

    // Generate a new password hash using the user's salt
    $generated_password = generatePassword("9","8");
    $generated_hash = md5(md5($generated_password).$salt);

6. Update the database

To finish off the script, we now need to add the new password and hash to the database. I created (temporarily) a couple of fields to store these data in, then populated them by running the script. You can then export the temporary passwords and email them to your users.

    // Update the user table with the new details
    $update_query = "UPDATE `user` SET
    `temp_pwd` = '$generated_password',
    `temp_hash` = '$generated_hash'
    WHERE `userid` = $userid LIMIT 1";

    $update_result = mysql_query($update_query) or die(mysql_error());

    echo "$update_query
";

}

7. Cleaning up

When you've done that, and exported the new passwords to your users so they can login, you can then delete the old password column and replace it with the new temp_hash column and then drop the temp_pwd column. As this is not encrypted, you wouldn't want to leave it sitting around on your server.

It's a wise precaution to test that the new passwords work prior to deleting the columns! If the login fails, the user can request a password reset and they'll be sent instructions to reset.

Published: TechPad.co.uk Monday 1 March 2010, 7:11 pm
Views: 735 times
Filed under: vBulletin security password reset

(No votes yet)