38k Member Forum

38k Member Forum Started by Runic · March 15, 2016, 11:21:24 am · Read 16727 times 0 Members and 1 Guest are viewing this topic. previous topic - next topic

38k Member Forum

March 15, 2016, 11:21:24 am

A friend is wanting to move his forum has 38k active members and he is worried that converting direct from SMF, so I said I would ask this for him, if he would use the 2.0 converter would his members still need to reset passwords, as it is done on 2.1? If so is their a route you can think off that will save his passwords?

Re: 38k Member Forum

Reply #1 – March 15, 2016, 11:26:50 am

As far as I remember, they have a different encription, so I don't think it's possible at all...

Re: 38k Member Forum

Reply #2 – March 15, 2016, 11:53:11 am

seen that being said for 2.1 but not 2.0 ( read all topics) also their must be an alternate route somewhere

Re: 38k Member Forum

Reply #3 – March 15, 2016, 12:17:27 pm

I don't think you should have to reset the passwords. They should be updated by ElkArte as people login.

Re: 38k Member Forum

Reply #4 – March 15, 2016, 02:00:04 pm

O.o how can it work at all with the old encryption?

Re: 38k Member Forum

Reply #5 – March 15, 2016, 02:59:16 pm

Quote from: Joshua Dickerson – March 15, 2016, 12:17:27 pmI don't think you should have to reset the passwords. They should be updated by ElkArte as people login.

This.

Re: 38k Member Forum

Reply #6 – March 15, 2016, 03:27:32 pm

Quote from: Flavio93Zena (#OpIsis) – March 15, 2016, 02:00:04 pmO.o how can it work at all with the old encryption?

When you login it first checks the ElkArte hash. If that doesn't match, then it tries other strategies until it gets one that matches. It had a bunch of strategies.

You'll still have to login again.

Re: 38k Member Forum

Reply #7 – March 15, 2016, 11:06:43 pm

Be sure "Allow password hash conversion" is checked, its under Admin->Configuration->Security/Moderation->General Its intended to help this issue when sites are converted

Then (to recap what others already said)

A user will attempt login, it will look liked it failed and ask for their password again, at that point it will log them in (assuming of course the password was right).

After they successfully login, the old password hash will be converted to the new (industry standard) hashing.

Re: 38k Member Forum

Reply #8 – March 16, 2016, 06:30:04 am

Hi, I'm the guy with the 38K registered members. Thanks Runic for the iniciative to post my question!

Quote from: Spuds – March 15, 2016, 11:06:43 pmA user will attempt login, it will look liked it failed and ask for their password again, at that point it will log them in (assuming of course the password was right).

In this case, it seems simple enough.
Is it also that simple for the people that have stored their password on the browser? They will just click the "Log in" button a second time and they will enter, or they'll have to type their password again somewhere else?

Re: 38k Member Forum

Reply #9 – March 16, 2016, 08:27:12 am

I don't think the stored passwords / autofill will work (not 100% sure though).

Likely they will need to use the keyboard on both screens. Those autofills look for matching form names/ids and they are likely not the same between your current platform and ElkArte.

Re: 38k Member Forum

Reply #10 – March 16, 2016, 08:46:12 am

It would be a small nuisance for those that forgot their password, they would have to reset it.
But what about those that have changed their email account and haven't updated their forum info with the new email and don't have access to their old email account anymore? It would be impossible to reset their password. They would have to message me outside the forum and I have to trust that they are who they say they are and then reset their password manually.

Re: 38k Member Forum

Reply #11 – March 16, 2016, 09:04:13 am

I suppose the login can be changed to always use the fallback and never update the password.
Of course it has drawbacks: 1) security, 2) security.
1) if the database is stolen, the hackers will be able to log in as any of your members without even knowing the password,
2) if your users do not know their password, they do not even know if they have reused it anywhere else and as such are more vulnerable to social engineering attacks and password theft.

@Spuds wouldn't be possible (theoretically, not that I have any plan to implement it), to attach some javascript to the login form, encrypt the password "SMF-like" and use this hash as the actual password passed to Elk's encryption js code and then to the server?
Let's illustrate it a bit.

Currently:

user types password,
Elk-js encrypts password
Elk sends to server,
server adds its hashing to the db password and compares to the hash from 2

While, what I'm describing is:

user types password,
Elk-js-mimic-SMF encrypt the password as sha1(something) (the same algorithm used by SMF),
Elk-js encrypts what is coming from 2 the same as if it was user-typed password in the currently used method,
Elk sends to server,
server adds its hashing to the db password and compares to the hash from 3

Re: 38k Member Forum

Reply #12 – March 16, 2016, 08:09:15 pm

Quote from: vkot – March 16, 2016, 06:30:04 amHi, I'm the guy with the 38K registered members. Thanks Runic for the iniciative to post my question!

Παρακαλώ (Your welcome for those that dont know Greek

)

Re: 38k Member Forum

Reply #13 – March 16, 2016, 08:59:24 pm

Quote from: Spuds – March 15, 2016, 11:06:43 pmBe sure "Allow password hash conversion" is checked, its under Admin->Configuration->Security/Moderation->General Its intended to help this issue when sites are converted

Then (to recap what others already said)

A user will attempt login, it will look liked it failed and ask for their password again, at that point it will log them in (assuming of course the password was right).

After they successfully login, the old password hash will be converted to the new (industry standard) hashing.

Is there a reason it's this clunky? I'm going to have to fix this before converting E.

Re: 38k Member Forum

Reply #14 – March 16, 2016, 10:03:16 pm

Because the form sends an encrypted password on the first pass, which the site then does a validation against. Once the site knows the password is valid, to one of the many hashing algorithms, it resets the form such so that it returns the password to the server in plain text. The plain text password is (assuming it once again validates) used to create the new style db hash. You could eliminate the form login encryption and make the conversion less "clunky".