I believe mysql password() encryption is one way; its impossible to decrypt (I'm not about to brute-force crack my users' passwords)
Sent from my HTC
----- Reply message ----- From: "Steve Power" steev@initsix.co.uk Date: Mon, Nov 8, 2010 12:43 Subject: [support] Migrating old passwords to Drupal To: "support@drupal.org" support@drupal.org
why not export your user data from your old app, import to drupal (decrypt the mysql password, hash with md5) then you dont have to mess about hacking core.
On Mon, Nov 8, 2010 at 10:55 AM, WATSON Michael <mick.watson@roslin.ed.ac.ukmailto:mick.watson@roslin.ed.ac.uk> wrote: Hi
I have an old website/DB that I would like to migrate into Drupal.
At present, it has a user/password setup that encodes the passwords in MySQL using the native MySQL password() function.
Ideally, I’d like to take those users and replace them with Drupal users, in a seamless way and without having to re-set user passwords, such that users can log into the new Drupal website without having to change or re-set their passwords.
Clearly this is difficult as Drupal stores passwords as md5 encoded strings, whereas my passwords are encoded by password().
I notice that the user.module file includes several calls to md5. If I changed all of these to a function which mimics the MySQL password() function, would that enable me to migrate my users into Drupal, allowing them to log into Drupal with their existing passwords?
If that wouldn’t work, suggestions are welcome!
Thanks Mick
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
-- [ Drupal support list | http://lists.drupal.org/ ]
-- -- -- Steve Power Principal Consultant Mobile: +44 (0) 7747 027 243 Fax: +44 (0)160 421 2871 Skype: steev_initsix www.initsix.co.ukhttp://www.initsix.co.uk :: Initsix Heavy Engineering Limited -- This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Initsix Heavy Engineering Limited. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error.
Initsix Heavy Engineering Limited Registered in the UK: 5036938 Registered Address: 243 Kettering Road, Northampton, NN2 7DU, England.
Hi,
There is basically 2 options, where you don't have to kill any kittens.
1, Leave all the passwords blank and have users request a password so they can log in. 2. use an external login authentication to allow people login in with there old passwords, and when they change the passwords you can set their real password. See the site_network module for am example. http://drupal.org/project/site_network
Gordon.
On 08/11/2010, at 11:47 PM, WATSON Michael wrote:
I believe mysql password() encryption is one way; its impossible to decrypt (I'm not about to brute-force crack my users' passwords)
Sent from my HTC
----- Reply message ----- From: "Steve Power" steev@initsix.co.uk Date: Mon, Nov 8, 2010 12:43 Subject: [support] Migrating old passwords to Drupal To: "support@drupal.org" support@drupal.org
why not export your user data from your old app, import to drupal (decrypt the mysql password, hash with md5) then you dont have to mess about hacking core.
On Mon, Nov 8, 2010 at 10:55 AM, WATSON Michael <mick.watson@roslin.ed.ac.ukmailto:mick.watson@roslin.ed.ac.uk> wrote: Hi
I have an old website/DB that I would like to migrate into Drupal.
At present, it has a user/password setup that encodes the passwords in MySQL using the native MySQL password() function.
Ideally, I’d like to take those users and replace them with Drupal users, in a seamless way and without having to re-set user passwords, such that users can log into the new Drupal website without having to change or re-set their passwords.
Clearly this is difficult as Drupal stores passwords as md5 encoded strings, whereas my passwords are encoded by password().
I notice that the user.module file includes several calls to md5. If I changed all of these to a function which mimics the MySQL password() function, would that enable me to migrate my users into Drupal, allowing them to log into Drupal with their existing passwords?
If that wouldn’t work, suggestions are welcome!
Thanks Mick
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
-- [ Drupal support list | http://lists.drupal.org/ ]
--
-- Steve Power Principal Consultant Mobile: +44 (0) 7747 027 243 Fax: +44 (0)160 421 2871 Skype: steev_initsix www.initsix.co.ukhttp://www.initsix.co.uk :: Initsix Heavy Engineering Limited -- This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Initsix Heavy Engineering Limited. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error.
Initsix Heavy Engineering Limited Registered in the UK: 5036938 Registered Address: 243 Kettering Road, Northampton, NN2 7DU, England.
-- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
-- [ Drupal support list | http://lists.drupal.org/ ]
I don't believe there's a module, but you could do a custom one.
- Create a new table with the old user hashes and the new Drupal UID for reference. - When converting the users, the old hash is stored as the actual password in Drupal (letting Drupal md5() it). - Using form_alter add a validation before user_login_authenticate_validate. In this new step check if the password() of the user submitted password matches a record in the database.
If it matches: change $form_state['values']['pass'] to the old password hash and let Drupal do the check from the user table
If no match: Do nothing. If this is a user that was created in Drupal, or an old user that changed their password in Drupal, Drupal will go ahead and validate it using the normal MD5().
Using this method you won't have to do any core hacks. I did something similar on converting a WP site to Drupal, where WP stores the passwords with a salted MD5().
Jamie Holly http://www.intoxination.net http://www.hollyit.net
On 11/8/2010 7:47 AM, WATSON Michael wrote:
I believe mysql password() encryption is one way; its impossible to decrypt (I'm not about to brute-force crack my users' passwords)
Sent from my HTC
----- Reply message ----- From: "Steve Power"steev@initsix.co.uk Date: Mon, Nov 8, 2010 12:43 Subject: [support] Migrating old passwords to Drupal To: "support@drupal.org"support@drupal.org
why not export your user data from your old app, import to drupal (decrypt the mysql password, hash with md5) then you dont have to mess about hacking core.
On Mon, Nov 8, 2010 at 10:55 AM, WATSON Michael<mick.watson@roslin.ed.ac.ukmailto:mick.watson@roslin.ed.ac.uk> wrote: Hi
I have an old website/DB that I would like to migrate into Drupal.
At present, it has a user/password setup that encodes the passwords in MySQL using the native MySQL password() function.
Ideally, I’d like to take those users and replace them with Drupal users, in a seamless way and without having to re-set user passwords, such that users can log into the new Drupal website without having to change or re-set their passwords.
Clearly this is difficult as Drupal stores passwords as md5 encoded strings, whereas my passwords are encoded by password().
I notice that the user.module file includes several calls to md5. If I changed all of these to a function which mimics the MySQL password() function, would that enable me to migrate my users into Drupal, allowing them to log into Drupal with their existing passwords?
If that wouldn’t work, suggestions are welcome!
Thanks Mick
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
-- [ Drupal support list | http://lists.drupal.org/ ]
--
-- Steve Power Principal Consultant Mobile: +44 (0) 7747 027 243 Fax: +44 (0)160 421 2871 Skype: steev_initsix www.initsix.co.ukhttp://www.initsix.co.uk :: Initsix Heavy Engineering Limited -- This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Initsix Heavy Engineering Limited. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error.
Initsix Heavy Engineering Limited Registered in the UK: 5036938 Registered Address: 243 Kettering Road, Northampton, NN2 7DU, England.
-
Gordon Heydon -
Jamie Holly -
WATSON Michael