Jan Steinman wrote:
Unfortunately, passwords are a problem. It appears to
be some hash on
the user name, since I tried copying and pasting the password data from
one user to another, but the user for which I pasted it cannot log in
with that password!
The hashes are salted to make it harder to bulk brute-force users'
passwords if the hashes are leaked.
(You can turn off the salting to use a system where password hashes can
be copied from user to user, but this is a) less secure and b) will
invalidate all existing passwords, requiring them all to be reset. See
settings in DefaultSettings.php)
Before I go crawling through the code, does anyone
have any hints or
alternatives by which I can bulk-enter password data for users to use?
The hashing algo is MD5(CONCAT(user_id,'-',MD5(password))).
Will the 'user_newpassword' field behave
better for this sort of thing?
AFAIK it's hashed the same was as the main password.
-- brion vibber (brion @
pobox.com)