MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Implement bcrypt to Mybb?
Full Version: Implement bcrypt to Mybb?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3

crazy4cs

2012-06-28, 06:02 AM
Okay, let's believe MD5 is not as secured as when compared to bcrypt, but if you have strong NON-DICTIONARY password, you hardly might have problem. Although the fact that we cannot guarantee for other users in database, so at the end, md5 maybe defeated.

ekerazha

2012-06-28, 07:58 AM
(2012-06-28, 06:02 AM)crazy4cs Wrote: [ -> ]Okay, let's believe MD5 is not as secured as when compared to bcrypt, but if you have strong NON-DICTIONARY password, you hardly might have problem. Although the fact that we cannot guarantee for other users in database, so at the end, md5 maybe defeated.

md5 is not really secure because:

1) Actually, it's very fast to calculate and with modern CPUs and GPUs this is a problem

2) It's cryptographically broken

From Wikipedia

A 2009 attack by Tao Xie and Dengguo Feng breaks MD5 collision resistance in 2^20.96 time. This attack runs in a few seconds on a regular computer.

crazy4cs

2012-06-28, 10:52 AM
You maybe correct at your point, but there are a lot of non dictionary words, something that has happened our life or we relate with, and many passwords are built in accordance with that and I think it's far impossible to break them.

Charlie Hadden

2012-06-28, 10:55 AM
(2012-06-28, 10:52 AM)crazy4cs Wrote: [ -> ]You maybe correct at your point, but there are a lot of non dictionary words, something that has happened our life or we relate with, and many passwords are built in accordance with that and I think it's far impossible to break them.

I'm sorry, but you're just wrong here. As I explained earlier, it's got nothing to do with whether they're dictionary words or not. In fact, I'm maybe going to have a little play and write some software to crack these, just to prove my point to you.

ekerazha

2012-06-28, 05:24 PM
(2012-06-28, 10:52 AM)crazy4cs Wrote: [ -> ]You maybe correct at your point, but there are a lot of non dictionary words, something that has happened our life or we relate with, and many passwords are built in accordance with that and I think it's far impossible to break them.

I'm not talking about dictionary words...

This is not the "2009 attack", but try this
http://hashcat.net
on a system with a powerful CPU and GPU (ATI or NVIDIA).

laie_techie

2012-07-15, 05:33 PM
Since MD5 is hashed (and not encrypted), you will need to store the salt and MD5 for each user until that user has successfully logged in. Otherwise all your users will lose their passwords. See the Merge System for one possible implementation.

When someone attempts to log in:
1. Try to validate against the new system.
2. If that fails, validate against the old system. If it succeeds, convert the known password to the new encrypted / hashed system.
3. If old system fails, display message about invalid username / password combination.
Pages: 1 2 3
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Implement bcrypt to Mybb?