Import users with md5 passwords, possible?

[cb2004]

I have a list of users and passwords which appear to be md5 hashed. Guessing there is no way to get these into ProcessWire without the user having to reset their password?

[zoeck]

I think it's not possible, because different systems, use different salt algorithms...

 

I think it's only possible when you hook the login, implement the login/salt system from the old system and after a successful login attempt with the old data - update the pw passwort with the entered and checked password ? (it's not so easy...)

[adrian]

No there's no way around this really, but my solution is the combination of these two modules:

https://modules.processwire.com/modules/email-new-user/

With this, when a new user is created they are automatically assigned a password and this is sent to them via email. 

https://modules.processwire.com/modules/password-force-change/

This ensures that the next time they login they have to change their password.

I think this combination is the easiest way to migrate large numbers of users to PW.

 

[Soma]

You could import the md5 passwords as they are and then md5 hash the entered password on the login.

[netcarver]

@cb2004 You could import the md5 hashed passwords into a different field in the User template, then use a custom login hook that checks if the md5 hash field is not empty. If it is not empty, then it hashes what they typed in and compares it to the md5 hash. If they are equal, then use PWs hashing algorithm to store the password in the regular field and delete the md5 hash.

Back up your DB and make sure you test this on some example accounts first ,as you'll need to exactly recreate the way the original hashes were calculated - including the use of a salt or other hardening method like hash iteration. 

Ah, Soma got in ahead of me.

[cb2004]

Some great replies, cheers all. There is no salt in the database with the original system by the looks of things, although I could probably get access to the old system files. @netcarver have you had to do anything like this before I could take a look at? These users will be logging in on the front-end with a custom form. 

[netcarver]

@cb2004 I did this many years ago for a Textpattern site when I wanted to migrate the passwords from old style hashes to newer ones. I haven't got anything for PW, sorry. The methodology is pretty much what I laid out in the post above yours. Maybe others could advise you about the best hooks to use, but I'd guess at doing a before hook on session::authenticate(). Something like this in site/ready.php would be a start (totally untested)...

wire('session')->addHookBefore('authenticate', function($event) {
    $user = $event->arguments(0);
    $pass = $event->arguments(1);

    $imported_md5_password_hash = trim($user->md5_field);

    // Is there a value for the imported md5 field?
    if ('' !== $imported_md5_password_hash) {

        // Yes! then create the md5 of what the user just typed in.
        // NB: You need to change this code so that the value generated here follows the algorithm for the generation of
        // the password set you imported.
        $md5 = md5($pass);

        // and see if it matches the stored value for this user
        if ($md5 === $imported_md5_password_hash) {

            // it does, so create and store the PW version of the $pass the user just typed in...
            $user->of(false);
            $user->pass = $pass; // @see https://github.com/processwire/processwire/blob/master/wire/core/User.php#L23
            $user->md5_field = ''; // Clear the md5 field so this path is bypassed on next login.
            $user->save();
        }
    }
});

If the match on the MD5 hash works, it stores the PW-hashed version of the user's password and saves. As this is a before hook, and the password compare and replace happens here, I think that's all that should be needed.

Of course, you still need to import those hashes into the "md5_field" above (rename as needed.)

Adding an md5_field to the user template allows you to easily locate which users have updated and which haven't using normal PW selectors.

YMMV - but I hope that starts you off in the right direction.