Password encryption

[stinkyfax]

Hello everyone,

I am writing a site module which will bridge registration/users with realmd database.

I have hit the common problem for newbies, so I am sorry in case the question is repeated.

How do I encrypt the 'sha_pass_hash' filed in realmd.account (UDB).

I have looked around wiki, forum, even YTDB wiki, they all tell me the logic: sha1(uppercase(username + ":" + password)). But I have tried it on my 11775 version and it won't work. I get authentication error.

P.S. If I set password using realmd console then authentication works, but if I rehash password using sha1(uppercase(username + ":" + password)) I get different hash and can't authenticate.

Could it be that since 11775 hashing method is changed? Or is there anything else which I've done wrong?

Thanks,

Stinkyfax

[antiroot]

I'm pretty sure the hashing hasn't changed, src/game/AccountMgr.cpp starting at line 232

std::string AccountMgr::CalculateShaPassHash(std::string& name, std::string& password)

{

Sha1Hash sha;

sha.Initialize();

sha.UpdateData(name);

sha.UpdateData(":");

sha.UpdateData(password);

sha.Finalize();

std::string encoded;

hexEncodeByteArray(sha.GetDigest(), sha.GetLength(), encoded);

return encoded;

}

(sorry code tag wasn't breaking on new lines properly)

I have implemented a PHP registration on my server

$query = sprintf('INSERT INTO account (username,sha_pass_hash,joindate) VALUES(\\'%s\\',\\'%s\\',NOW());',strtoupper($account['name']),strtoupper(sha1(strtoupper($account['name'].":".$account['password']))));

(I removed some fields form my example because they are not important ie email,expansion,IP,etc)

Note: I use strtoupper twice because php returns the hash in lower case and i wanted it consistent with the records/hashes that mangos generates which are in uppercase

Line 51 from src/game/AccountMgr.cpp shows

LoginDatabase.PExecute("INSERT INTO account(username,sha_pass_hash,joindate) VALUES('%s','%s',NOW())", username.c_str(), CalculateShaPas
sHash(username, password).c_str())

So both queries function the same and something like that should work fine on 11775, just make sure to sanitize your user input variables so you're not susceptible to sql injection (probably not likely for a private server, but still best practice)

Also what language are you using to create your registration? it could be something silly like the uppercase function your using actually only uppercases the first character and not the whole string

Edit: another thought is that the sha function your using returns the raw 20 character binary hash and not a 40 character hex hash (php by default does hex, C++ returns binary but is converted to hex by hexEncodeByteArray)

[stinkyfax]

Ok, I found what's the problem in my case:

username in DB has to be upper case, sha has to be upper case, on changing password "v" and "s" have to be set to NULL, joindate should be speified.