Tip - Dolphin 7 Login Functionalities

Mike posted 2nd of March 2010 in . 8 comments.

From a contributor...

There are three ways to get logged into your Dolphin 7 Social Networking Environment. You can use your nickname, email address or userID if you know it.

From the user-end logged in as admin, you are able to change your password for admin. The new temp password will be sent to your email address on record. Because of the security measures that have been taken with Dolphin 7, the password encryption is no longer just MD5 has, the password is $alt encrypted, and there is no really easy way to crack that.

You can manipulate certain features of your login as admin, such as the email address from the database. Easiest way to do that is phpmyadmin, or if you are more comfortable with a graphical user interface (GUI) take a look at MySQL Administrator.

A fair and impartial warning. You can break your site messing around with the encrypted passwords, so please try not to mess around. If you are just adventurous, please always back up your database before making any changes that are irrevocable.

The Dolphin 7 administration login is seldom needed, unless you are trying to reassert your your Dolphin license (such as you have upgraded from free to a paid license).

Please login to post a comment.
Why only Facebook, is it really difficult with google and yahoo connect
I have never heard of $alt encryption. $alt is a possible variable name in PHP, not an encryption method. Perhaps he meant to say that the password-generation function includes a variable called $sSalt that provides more permutations and less correlation between the plain password and the password hash, preventing simple hash database lookups to reverse passwords. Or perhaps he spelled "salt" as in "micro$oft". But let's be clear for a moment on how Dolphin password encryption see more actually works.

Dolphin 7.0.0 encrypts passwords as sha1(md5($sPwd) . $sSalt). In plain English, Dolphin generates a SHA-1-hash of the MD5-hash of the user-given password and a random salt string, the random salt being the base64-encoded characters 2 to 6 of a MD5-hashed microtime timestamp. The random salt is separately stored in a field in the user database table.

Both MD5 and SHA1 are one-way-only string hashing methods. While they cannot be directly reversed, lists and databases of MD5-hashes for common passwords are becoming increasingly common, and as such the password can be accessed by searching for the corresponding hash. MD5 also has a number of other issues that make it less of a secure password hashing option. MD5 hashes are 32 characters long, while SHA1 strings are 40 characters long, providing for more variations and subsequently harder brute-force password cracking.

If you want to produce D7-compliant passwords, look at functions encryptUserPwd() and genRndSalt() in inc/utils.inc.php (line #1003 ff.). To see an example of password checking, see check_password() in inc/admin.inc.php (line #785). If you need to generate a new Dolphin password, simply create a short script that fetches the user's salt from the database and runs a new plain-text password through encryptUserPwd().

For those interested in further security and string hashing information, hop on to Wikipedia for a starter:

- MD5: http://en.wikipedia.org/wiki/MD5
- SHA: http://en.wikipedia.org/wiki/SHA1
And as a footnote to that, if you need to recover your admin password and are not scriptorally adept, you can simply:

1. Create a new account with whatever password,
2. Let D7 automatically do the hashing and stick them in,
3. Copy the password hash and the salt from the new account to the lost administrator's account in the table containing member data in your database with PHPMyAdmin.

That shouldn't be too hard for anyone who has gotten Dolphin up and running.
I lost my password some time back after they started using salt. Salt did make me think for a little but there is always a work around if you are in full control of the data. After a little thought I created a new website member, logged into cpanel, fired up phpmyadmin, browsed the profile table for my new user, changed their role to that of 3 which makes the an adminstrator. Logged into my websites admin with that user and changed the profile password on the user that I had forgot the password for. see more I have seen this work around in various forms since on the forums, but it aint rocket science.
They should really use pepper instead of salt. Although pepper has been known to cause heartburn sometimes, it usually don't contribute to high blood pressure or high cholesterol like salt has been known to do. But then again a dolphin does like the ocean which has a tendency to have a concentration of salt in the water. So maybe this is why. Pepper sounds better, I like spice too.
So is the sea connection also behind the fact that it's a bit salty here in Unity at times? Have you ever tried salt in marmelade? =D

In my code (just looked it up), I simply call it hash, and the hash comes from a seed. I seem to have functions for make_hash($seed="") and get_hash_ready(), so the whole process is covered. So far I luckily haven't had officers knocking on my door over suspicions of automated illegal substance manufacturing. To err on the side of caution, maybe I should see more change it to pepper instead.

Here's the formula I have: $hash = sha1(md5($seed.date("r").mt_rand()));
This post makes me wish we had a "Tips & Tricks" area for those of us who have a few things we could contribute.
A wiki sort of thing would be very useful, though I wouldn't pay premium just to be able to add in my notes to help out others...
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.