SMF 1.1.4 uses SHA-1 with a salt. You would think that the passwordSalt in the database is used as the salt, but it isn't. That's probably a field that was used in old versions. Instead, the membername is used as the salt, but *before* the password, not *after*, as most search results indicated.
I finally found this link to a php file that is *not* in the distribution.
$register_vars = array(
'memberName' => "'$username'",
'realName' => "'$username'",
'passwd' => '\'' . sha1(strtolower($username) . $password) . '\'',
'passwordSalt' => '\'' . substr(md5(rand()), 0, 4) . '\'',
So I tried this Java code:
sha1(username.toLowerCase() + password);That worked!
Here is the source for the sha1 method:
public static String sha1(String data)
byte bytes = data.getBytes();
MessageDigest md5er = MessageDigest.getInstance("SHA-1");
byte hash = md5er.digest(bytes);
catch (GeneralSecurityException e)
throw new RuntimeException(e);
private static String bytes2hex(byte bytes)
StringBuffer r = new StringBuffer(32);
for (int i = 0; i < bytes.length; i++)
String x = Integer.toHexString(bytes[i] & 0xff);
if (x.length() < 2)