Heya!
I've searched through the files, and found that not all md5 functions are related to user password encryption. Some are just used to create a unique ID or for forum passwords. I decided I only wanted to change user password encryption, and leave all the other md5's alone. This was especially required in some files in admin/, since some debug values were hashed with md5 and compared to hard-coded strings. I didn't want to break that.
For those that are interested, if you want to change user password encryption from md5 to sha1, you should change the following:
In the file usercp.php:
Find:
$logindetails = update_password($mybb->user['uid'], md5($mybb->input['password']), $mybb->user['salt']);
Change to:
$logindetails = update_password($mybb->user['uid'], sha1($mybb->input['password']), $mybb->user['salt']);
In the file member.php:
Find:
$md5password = md5($password);
Change to:
$sha1password = sha1($password);
Find:
$md5password = md5($mybb->input['password']);
Change to:
$sha1password = sha1($mybb->input['password']);
Find:
$saltedpw = salt_password($md5password, $salt);
Change to:
$saltedpw = salt_password($sha1password, $salt);
Find:
$logindetails = update_password($user['uid'], md5($password), $user['salt']);
Change to:
$logindetails = update_password($user['uid'], sha1($password), $user['salt']);
In the file inc/class_sdk.php:
Find:
$query = $this->db->query("SELECT password FROM ".TABLE_PREFIX."users WHERE $uquery AND password='".md5($password)."'");
Change to:
$query = $this->db->query("SELECT password FROM ".TABLE_PREFIX."users WHERE $uquery AND password='".sha1($password)."'");
In the file inc/functions_user.php:
Find:
// Generate a salt for this user and assume the password stored in db is a plain md5 password
Change to:
// Generate a salt for this user and assume the password stored in db is a plain sha1 password
Find:
if(salt_password(md5($password), $user['salt']) == $user['password'])
Change to:
if(salt_password(sha1($password), $user['salt']) == $user['password'])
Find:
// Used to update a password for particular user id in the database (expects password to be md5'd once)
Change to:
// Used to update a password for particular user id in the database (expects password to be sha1'd once)
Find:
// Salt's $password based on $salt (expects $password to be md5'd once)
Change to:
// Salt's $password based on $salt (expects $password to be sha1'd once)
Find:
return md5(md5($salt).$password);
Change to:
return sha1(sha1($salt).$password);
In the file admin/global.php:
Find:
$md5pw = md5($mybb->input['password']);
Change to:
$sha1pw = sha1($mybb->input['password']);
Find:
$lang->invalidlogin_message = sprintf($lang->invalidlogin_message, $mybb->settings['bbname'], $mybb->input['username'], $mybb->input['password'], $md5pw, $ipaddress, $iphost);
Change to:
$lang->invalidlogin_message = sprintf($lang->invalidlogin_message, $mybb->settings['bbname'], $mybb->input['username'], $mybb->input['password'], $sha1pw, $ipaddress, $iphost);
In the file admin/users.php:
Find:
$md5password = md5($mybb->input['newpassword']);
Change to:
$sha1password = sha1($mybb->input['newpassword']);
Find:
$md5password = salt_password($md5password, $salt);
Change to:
$sha1password = salt_password($sha1password, $salt);
Find:
"password" => $md5password,
Change to:
"password" => $sha1password,
Find:
update_password($user['uid'], md5($mybb->input['newpassword']), $user['salt']);
Change to:
update_password($user['uid'], sha1($mybb->input['newpassword']), $user['salt']);
As you can see in the above modifications, I've also changed variable names and comments for consistency's sake.
Once the above is changed, a user should logout and use the "I forgot my password" feature to have MyBB generate a new sha1 password in the database. After he has logged in with his newly generated random password, he can change it back to his old one in the user panel and all will be fine.