Adding user specific salt to user passwords in drupal

Question

I am migrating over a reasonably large asp site to drupal. I have managed to migrate over most of the content now I am having a little trouble with migrating over the users.

In the ASP site each member has a password and a salt column, when logging in their their provided password is appended with the salt and sha1 encrypted and then compared against the db password.

How do i implement this in drupal 6? Drupal 6 doesnt have salt by default. I found a drupal salt module but its incredibly simplistic and only stores a sitewide salt value.

Do I need to add a salt column to the user table and add some custom logic to the drupal6 login function? I realise this is somewhat bad practice in that upgrading the application to a later version of drupal could be problematic. But we are using a bunch of drupal 6 specific modules anyways so I feel that upgrading to drupal 7 will be a nightmare regardless. Has anyone had this problem before? What is the easiest (damn fixed rate web jobs :) good way to get around it?

Basically I have a users table in an ASP app that include the following columns:

Name | Password_hash | Salt | etc

I need some way to migrate this into Drupal.

Answer 1

I'm not sure how this worked in Drupal 6, but Drupal 7 implements the salt used when comparing to the db password is in the compared string. When looking at _password_crypt() in password.inc, the $salt is defined as

$salt = substr($setting,4,8);

Where the $setting variable is the first 12 characters of the db password. The salt if then prepended to the $password.

$hash = hash($algo, $salt . $password);

It is important to take into account that this hashing is done many times, as to increment notably the security. In order to know how many times it is hashed, the second character of the db password (it actually is between to $ signs) is used to know the number of repetitions taken. This character is compared to a string called itoa64, so the position of this char is the log2 number of repetitions.

$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

What I mean by log2 number of repetitions is that the actual number will be 2 to the power of that number. So, having into account the first number is between 7 and 30, the number of repetitions is between 128 and 1 073 741 824.

Finally, the encrypted password is encoded in base64, checked (compare its length before and after the encoding) and returned to be compared by the user_check_password or used by user_hash_password for storage with a random hash generated with _password_generate_salt() .

Answer 2

I would highly suggest the Password module 1.0 branch for this purpose. It provides you with the ability to provide your own custom password.inc file to determine how passwords should be hashed and checked.