[Mediawiki-l] Passwords

Brion Vibber brion at pobox.com
Mon Feb 7 08:09:20 UTC 2005


Jan Steinman wrote:
> Unfortunately, passwords are a problem. It appears to be some hash on
> the user name, since I tried copying and pasting the password data from
> one user to another, but the user for which I pasted it cannot log in
> with that password!

The hashes are salted to make it harder to bulk brute-force users'
passwords if the hashes are leaked.

(You can turn off the salting to use a system where password hashes can
be copied from user to user, but this is a) less secure and b) will
invalidate all existing passwords, requiring them all to be reset. See
settings in DefaultSettings.php)

> Before I go crawling through the code, does anyone have any hints or
> alternatives by which I can bulk-enter password data for users to use?

The hashing algo is MD5(CONCAT(user_id,'-',MD5(password))).

> Will the 'user_newpassword' field behave better for this sort of thing?

AFAIK it's hashed the same was as the main password.

-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20050207/9fad6309/attachment.pgp 


More information about the MediaWiki-l mailing list