MyBB Community Forums

MyBB Community Forums > Extensions > Plugins > Plugin Development > Modified Password Hashing
Full Version: Modified Password Hashing
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

opening

2012-12-23, 09:57 AM
Hello,

I had a look into the following thread http://community.mybb.com/thread-104768.html

And wondered if I might be able to do this myself.

In the functions-user.php file the following can be seen on line 198

function salt_password($password, $salt)
{
	return md5(md5($salt).$password);
}

I edited it to the following in the hope that it would make all new users have passwords salted with the random salt and the one specified in the config.

function salt_password($password, $salt)
{
	return md5(md5($salt).$password.$config['passwordSalt']);
}

After the edit, I logged out of my admin account that was created before that edit and found I could log in again easily. I think this means I stuffed something up because what I wanted to achieve should make all existing accounts unusable unless the password is manually reset.
I also tried messing with the manual stuff to match the password for the new user in the db.

Sorry for bad English.

Am I on the right track?
Is there anything else I need to edit?
Could anyone tell me how I could do this please?

Thanks in advance.

Paul H.

2012-12-23, 05:40 PM
You need to globalize $config, otherwise $config['passwordSalt'] is empty.

function salt_password($password, $salt)
{
    global $config;
    return md5(md5($salt).$password.$config['passwordSalt']);
}

I'm not sure what other issues you might run into besides all users having to reset their passwords.

Euan T

2012-12-23, 05:52 PM
Also, this actually won't help that much as the salt in the config will be the same for all suers.

frostschutz

2012-12-23, 06:24 PM
With this change the hacker only needs one known password (by registering an account himself) to bruteforce the passwordSalt and then you're back to square one. Of course if you make the passwordSalt very long, it could still help in a case where someone accesses your database but not your files. Then again, write access to the database in MyBB automatically means PHP code execution which means they can get at the passwordSalt even without doing anything extra.

So: It's not worth the trouble. Esp. if you overwrite that file when you update and then find yourself unable to log in.

opening

2012-12-24, 03:07 AM
Thanks for the info everyone, i`l make sure the salt is more than 20 chars.

I am building a forum from scratch so it's really no loss for me to attempt this Smile

Yumi

2012-12-29, 10:58 AM
Why use a config variable? Just hard code a random string in your function. One less file to worry about when upgrading.

pcfreak30

2013-01-01, 10:18 AM
(2012-12-29, 10:58 AM)Yumi Wrote: [ -> ]Why use a config variable? Just hard code a random string in your function. One less file to worry about when upgrading.

IMHO you should never hard code a setting as it makes it that harder later on to change when dealing with a lot of code.

Yumi

2013-01-04, 10:41 PM
(2013-01-01, 10:18 AM)pcfreak30 Wrote: [ -> ]IMHO you should never hard code a setting as it makes it that harder later on to change when dealing with a lot of code.
Let me guess - you just read some newbie guide to code design?
MyBB Community Forums > Extensions > Plugins > Plugin Development > Modified Password Hashing