Lua Gesior -> Gesior = Can't login with old accounts?

[Extrodus]

Hey OTLanders, I just switched gesior account managers to swap with the newer layout + admin panel and now the 15 accounts that were made before the switch can no longer log into the website, it say's "Wrong account number or password."

Is there an easy way to fix this without making them create new accounts?

 

[HalfAway]

< removed post due to not needed >

 

[Extrodus]

They are all in sha1, reading the same config - it's really the same version just with some new features. No changes to the account table of course, so it seems strange.

 

[Znote]

Could it be related to salt then?

 

[Extrodus]

Actually to be honest, now that I look - when I create a new account it doesn't use salt anymore, it just leaves it blank. When I remove the salt from an old account, it still gives me the error of passwords being wrong when signing in.
I know sha1 is encrypted passwords - what is the salt for exactly?

 

[Sho Ke]

Sounds like the site is using another cryption then the accounts in the database. (Sha1, plain, md5)

Please keep in mind Sha1 and md5 are hashing methods, NOT encryption. Encrypted data can be decrypted(it's two-way). Hashing is one-way. When setup properly, server owners shouldn't even get to see user passwords(because they don't need the user's password); they just get a 160 or 120bit representation of the password stored in the database that cannot be reverse engineered back to its original form.

 

[Znote]

Actually to be honest, now that I look - when I create a new account it doesn't use salt anymore, it just leaves it blank. When I remove the salt from an old account, it still gives me the error of passwords being wrong when signing in.
I know sha1 is encrypted passwords - what is the salt for exactly?

Salt is used to create unique hashes, even if the raw password is the same. Thus it is really hard to find accounts with similar passwords unless you also know the salt algorythm, which either way will be a much heavier process for a hacker.

You can probably enable salt in config.php, but it may be best to just disable it to make it easier for you. What you got to do then is to delete salt from all accounts that already got it, and reset their password to some default password.

sha1 hash generator: http://www.sha1generator.de/
You write rawtext and it will generate a sha1 hash for you. Which you can place in phpmyadmin, keep salt empty and they should be able to login.

 

[Extrodus]

Thank you sir, if it comes down to switching I'll try your method.