Hello everyone!
I'm not very experienced with php but i'm just curious if there's any quick and easy way to implement bcrypt to hash the passwords on my Mybb forum to add a extra layer of protection. I suspect right now by default Mybb uses md5 + salt or something like that and I don't think that's secure enough (and it's not)
I'm well aware that implementing bcrypt will put extra load on my CPU and all that so you don't have to tell me that, thanks in advance
It would take a bit work as you'd have to modify the table schema and any core files relating to logins/registrations. It is possible though and shouldn't be too hard with a basic knowledge of PHP.
(2012-06-26, 06:54 AM)euantor Wrote: [ -> ]It would take a bit work as you'd have to modify the table schema and any core files relating to logins/registrations. It is possible though and shouldn't be too hard with a basic knowledge of PHP.
sounds promising what should i start doing to implement bcrypt?
First thing would be to alter the mybb_users table to remove the salt column and ensure the password column is long enough to store a bcrypt hash. Next thing would be to build a function to encrypt the password using bcrypt then modify the current login and registration functions.
(2012-06-26, 09:22 AM)euantor Wrote: [ -> ]First thing would be to alter the mybb_users table to remove the salt column and ensure the password column is long enough to store a bcrypt hash. Next thing would be to build a function to encrypt the password using bcrypt then modify the current login and registration functions.
I'm sorry my knowledge is very limited when it comes to php but i'll give it a try.
I've deleted the salt column in my db and password column is 120 vchar (is that enough)
Now when it comes to building the bcrypt function i'm pretty lost, i think member.php is the login function (not sure if you call it that) and there i found
$password = random_str($password_length);
$logindetails = update_password($user['uid'], md5($password), $user['salt']);
And i think i should edit that to something like
$hash = $bcrypt->hash('password');
$isGood = $bcrypt->verify('password', $hash);
(2012-06-26, 09:58 AM)euantor Wrote: [ -> ]Yes, member.php handles all logins and registrations. Maybe this blog post will help you understand better how it should all work: http://michaelwright.me/php-password-storage
yea thanks but i can't figure out how to use my knowledge to change the code
How can you say md5 is not strong enough? One can hardly find any luck to crack md5s.
(2012-06-26, 10:05 AM)crazy4cs Wrote: [ -> ]How can you say md5 is not strong enough? One can hardly find any luck to crack md5s.
Because it isn't. Read the blog post I linked to above.
Euantor, that blog post doesn't mention anything bad about md5? Unless you're talking about just salt.