Took a while to figure out, but, the information on how passwords are treated in IPB is explained here:
In the middle of that page is this:
The $password, $email_address and $username variables that are passed to this method have already been run through the IP.Board input cleansing routines, meaning certain characters have been replaced with HTML entities. If your external application does not do the same thing, this may mean usernames or passwords with special characters will fail if you do not account for this. The special characters that IP.Board will replace are:
- & to & (do this first so that you don't double convert any others below)
- \ to \ ; ( no space between 2 and ; )
- ! to !
- $ to $
- " to "
- < to <
- > to >
- ' to '
The XenForo module that authenticates IPB login credentials does not take this into account. It just does the basic: return md5(md5($salt) . md5($password)); operation.
I made an edit in: ./library/XenForo/Authentication/IPBoard.php - adding a function to do the same character substitutions prior to testing the hash, and that addressed the problem.
When researching this, I was surprised it wasn't found before this. There are a couple threads here about passwords not always working on some IPB imports, but, nothing about this.