Password hash and authentication

6 posts

1. leapyearboy
   
   Member
   Joined: Jun '08
   Posts: 9

   Hey, had a quick look around and i couldn't see anyone with a similar question so here i go.

   I have a large database of usernames/ password combos that i would live to use in my private server. However the passwords i have are hashed in SHA-1 (base 64). From what i can see the WOW pass's are stored in some hash that i am unfamiliar with (couldn't find its type with many hash generators).

   Now my question is can i change the authentication method to accommodate my hashes or is there some other way that it may be possible.

   Posted 1 year ago » Permalink

2. leapyearboy
   
   Member
   Joined: Jun '08
   Posts: 9

   Just a quick update, looking through the account creation code in AccountMgr.cpp i see the line (57)

   if(!loginDatabase.PExecute("INSERT INTO account(username,sha_pass_hash,joindate) VALUES('%s',SHA1(CONCAT(UPPER('%s' ,':',UPPER('%s' )),NOW())", username.c_str(), username.c_str(), password.c_str()))

   my c++ knowledge is limited but it seems the username is uppercased and then hashed with the uppercase password seperated by a colon. So does anyone know how i can modify the code so that it hashes the password in SHA1 base64.
   Also i assume the same modification can be made to the mangos login manager part though i worry that the wow client may be such that it must authenticate to SHA-1 and that it cant be modified.

   Any ideas guys?

   Posted 1 year ago » Permalink

3. Petie
   
   Member
   Joined: Jun '08
   Posts: 13

   Edit:
   You can safely ignore everything that follows. I read through your post a little too quickly. I didn't realize you were actually looking at the source C++ files at first so my answer really only applies to the already compiled version.
   -----------------------------
   You found the right code and you're right about how the password is currently being stored. However, as far as I know anyway, while that code is easily modifiable for registration, the client will authenticate using the format already in place and I'm not sure if this is something that can be changed.

   I could definitely be wrong about this though so I'd stick around from an answer from someone else (like Reaper-X, who would definitely know how to change the login script if it can be changed at all).

   Posted 1 year ago » Permalink

4. Remar
   
   Veteran
   Joined: Feb '08
   Posts: 347

   I have not a clue but I will bump this one back to the top. I am not fluent enough with the way the wow client is written to tell you what to modify without screwing something up for you.

   Posted 1 year ago » Permalink

5. leapyearboy
   
   Member
   Joined: Jun '08
   Posts: 9

   Daily bump.

   Anyone got any ideas?, pretty sure its a pretty unique question that i should probably focus towards the developer only but hey you never know.

   In the end i think i can cope without the change to the authentication method (just make people create new accounts) but its a nice proof of concept as im sure someone down the line will have the same problem.

   Posted 1 year ago » Permalink

6. Reaper-X
   
   The Reaper
   Joined: Feb '07
   Posts: 483

   Well actually what Petie said is true, the code you were looking at is how mangos encrypt the user password

   Now my question is can i change the authentication method to accommodate my hashes or is there some other way that it may be possible.

   it's possible to change it (actually back then mangos didn't use encryption on the user password) but of course you also need to change the checkpassword function too (p.s look at the end of the accountmgr.cpp just in case you looking for the checkpassword)

   QueryResult *result = loginDatabase.PQuery("SELECT 1 FROM account WHERE id='%d' AND sha_pass_hash=SHA1(CONCAT(UPPER(username),':',UPPER('%s' ))", accid, passwd.c_str());

   Posted 1 year ago » Permalink

RSS feed for this topic

Reply

You must log in to post.