ok so i know md5 is almost "impossible" to decrypt especially when salted but i have this thought in my head.
ok so when you register an account on any mybb forum it incrypts and salts your password but when you login it has to decrypt and read your password as plain texts which decrypts it. now if you were to reverse the system so that if you type the username and click "login" it will show the password in plain text (you would have to kill the process to login so the page doesnt redirect.)
isnt this a potential threat to people who use mybb? because as i thought about it makes sense especially if there is a web design with alot of time put in he will know what he is doing. Now i know this could be possible because it has to decrypt and read as plain text to tell the system to give you authorization.
i would like to know from a developer that this is not possible with a detailed explanation on why because like i said it seems possible to me because nothing is what you say "impossible".
thank you for reading and i hope to get an answer
That's not how MD5 works. MD5 is a message digest algorithm, it turns a plain text string into a series of numbers and letters.
MyBB's method is (last I checked):
md5(md5($password.$salt).$salt)
This means MyBB takes the password and appends the salt. Then it takes that string and runs it through MD5. It then appends the salt once more, to the md4'ed string and runs it through md5() again. This value is stored in the database.
Now, when you login ABSOLUTELY no "decrypting" is done - you can't decrypt it. Instead, the salt is taken from the database (it's stored separately) and that is combined with the password you typed in to produce a hash once more. If this hash matches the hash in the database, they must be the same password, because md5 produces the same hash every time.
Now, md5 isn't without its flaws, but that certainly isn't one
Thanks
Now, a site owner could easily modify MyBB to store your username and password in a plain text format. Any site owner could do this, Facebook, Google, MyBB.com? It all comes down to trusting the owner. You should never sign to to a site you don't trust
Either way, bruting MD5 is possible with latest machines with good specs which can decrypt hashes way fast.
But the way you're telling (from what I understand) isn't right. MyBB doesn't decrypt the password/hash into plain text as you're saying for a check. It instead encrypts through its algorithms the input password and see if the input encrypted hash matches with the stored hash in the database; if yes, password matches, if not, it gives an error and thus denies the login.
Quote:You should never sign to to a site you don't trust
I'll go one further, never use the same password for every site.
IMO encrypt is the wrong word to use. Anything that can be encrypted can be decrypted. That is why you never do anything like base64_encode a password. MD5 is a one way hash. It is impossible (as far as I know) to reverse-engineer it.
MyBB does not "decrypt" your password. The one you supply is hashed and that hash is compared.
A nice little way I like to think of it is like this.
Encryption/Decryption:
Taking a string, applying a function, getting an encrypted string.
EG:
Encryption: mybbiscool -> loocsibbym
Decryption: loocsibbym -> mybbiscool
Hashing (message digests):
One way functions that don't allow you to go back.
EG:
mybbiscool -> mbico (remove every other letter)
There is no way to know what was digested.
Pretty basic but does the job of explaining
Liked Toms explanation. Simple and effective way to put it. Second Ben never use same password on multiple sites even if its easy to do so. Instead if its tough for you to keep track of passwords use a password manager.
(2013-08-27, 11:11 AM)Tom K. Wrote: [ -> ]A nice little way I like to think of it is like this.
Encryption/Decryption:
Taking a string, applying a function, getting an encrypted string.
EG:
Encryption: mybbiscool -> loocsibbym
Decryption: loocsibbym -> mybbiscool
Hashing (message digests):
One way functions that don't allow you to go back.
EG:
mybbiscool -> mbico (remove every other letter)
There is no way to know what was digested.
Pretty basic but does the job of explaining
Great explanation!
I am trying to replicate this. Essentially what i am trying to do is have my server be able to read/ share credentials with my mybb's mysql db. Its a minecraft server, could you or anyone else help? (if this is in the wrong section will someone say so, just joined.)
(2015-10-02, 04:39 AM)exalented Wrote: [ -> ] (2013-08-27, 11:11 AM)Tom K. Wrote: [ -> ]A nice little way I like to think of it is like this.
Encryption/Decryption:
Taking a string, applying a function, getting an encrypted string.
EG:
Encryption: mybbiscool -> loocsibbym
Decryption: loocsibbym -> mybbiscool
Hashing (message digests):
One way functions that don't allow you to go back.
EG:
mybbiscool -> mbico (remove every other letter)
There is no way to know what was digested.
Pretty basic but does the job of explaining
Great explanation!
I am trying to replicate this. Essentially what i am trying to do is have my server be able to read/ share credentials with my mybb's mysql db. Its a minecraft server, could you or anyone else help? (if this is in the wrong section will someone say so, just joined.)
That's fairly simple to achieve.
All you need to do is to work out what your users table is (hint, mybb_users) - authenticate with it and use the same hashing algorithm which is md5(md5($salt).md5($password))
I've actually done this before.
(2015-10-02, 04:50 AM)Ben Cousins Wrote: [ -> ] (2015-10-02, 04:39 AM)exalented Wrote: [ -> ] (2013-08-27, 11:11 AM)Tom K. Wrote: [ -> ]A nice little way I like to think of it is like this.
Encryption/Decryption:
Taking a string, applying a function, getting an encrypted string.
EG:
Encryption: mybbiscool -> loocsibbym
Decryption: loocsibbym -> mybbiscool
Hashing (message digests):
One way functions that don't allow you to go back.
EG:
mybbiscool -> mbico (remove every other letter)
There is no way to know what was digested.
Pretty basic but does the job of explaining
Great explanation!
I am trying to replicate this. Essentially what i am trying to do is have my server be able to read/ share credentials with my mybb's mysql db. Its a minecraft server, could you or anyone else help? (if this is in the wrong section will someone say so, just joined.)
That's fairly simple to achieve.
All you need to do is to work out what your users table is (hint, mybb_users) - authenticate with it and use the same hashing algorithm which is md5(md5($salt).md5($password))
I've actually done this before.
Yes, i have figured the first part (users table) but not an algorithm equivalent in java.
Also, when using a salt is it a generated value or a static value that mybb has? Can i retrieve this?