Thanks for the help!
If anyone looks at this in the future, this is the code I ended up using:
*hashers.py*
class PBKDF2WrappedvBPasswordHasher(PBKDF2PasswordHasher):
algorithm = 'pbkdf2_vB'
def encode_vB_hash(self, vB_hash, salt, iterations=None):
return super(PBKDF2WrappedvBPasswordHasher, self).encode(vB_hash, salt,
iterations)
def encode(self, password, salt, iterations=None):
vB_hash = hashlib.md5(hashlib.md5(force_bytes(password)).hexdigest() +
force_bytes(salt)).hexdigest()
return self.encode_vB_hash(vB_hash, salt, iterations)
*settings.py*
PASSWORD_HASHERS = [
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'members.hashers.PBKDF2WrappedvBPasswordHasher',
]
Importing vBulletin password in the Django format, assuming 2 columns for
vBulletin containing salt and MD5 hash, respectively:
password='pbkdf2_vB' + '$' + row[5] + '$' + row[6],
Upgrading to pbkdf2_vB hash:
hasher = PBKDF2WrappedvBPasswordHasher()
algorithm, salt, vB_hash = user.password.split('$', 2)
user.password = hasher.encode_vB_hash(vB_hash, salt)
On Wednesday, March 16, 2016 at 12:54:18 AM UTC+1, Tim Graham wrote:
>
> I can't think of anything offhand besides implementing your own
> PBKDF2PasswordHasher subclass which does its own more sophisticated
> splitting that doesn't get confused by dollar signs in the salt.
>
> On Tuesday, March 15, 2016 at 7:26:59 PM UTC-4, jorr...@gmail.com wrote:
>>
>> Holy crap, you guys have really thought of everything! Love it!
>>
>> Unfortunately this doesn't work on all users because some salts contain
>> the *$* character which gives the *assert salt and '$' not in salt*
>> error. Is there a workaround for this?
>>
>>
>> On Tuesday, March 15, 2016 at 4:59:39 PM UTC+1, Tim Graham wrote:
>>>
>>> Take a look at
>>> https://docs.djangoproject.com/en/stable/topics/auth/passwords/#password-upgrading-without-requiring-a-login
>>>
>>> Instead of SHA1PasswordHasher().encode() you'll want to use vBulletin's
>>> hashing algorithm.
>>>
>>> On Tuesday, March 15, 2016 at 11:54:32 AM UTC-4, jorr...@gmail.com
>>> wrote:
>>>>
>>>> I'm converting an old vBulletin 3.8 installation to a Django web app
>>>> and I'm wondering if I can migrate users over with their passwords intact.
>>>>
>>>> vBulletin uses *md5(md5(password) + salt)* to hash its passwords,
>>>> would any of Django's built-in password hashers work with this out of the
>>>> box?
>>>>
>>>> Some of the salts also contain the *$* character, I'm guessing that's
>>>> a big problem?
>>>>
>>>> I'm wondering if it would be easiest (or even possible) to write a
>>>> custom password hasher for this or just have everyone reset their
>>>> passwords
>>>> once the new site goes live.
>>>>
>>>> Any thoughts on this would be appreciated!
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/e6be910c-f01f-471e-a262-53caf749c124%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
