- Open
/admin/index.php find
if(!empty($config['secret_pin']) && (empty($mybb->input['pin']) || $mybb->input['pin'] != $config['secret_pin']))
replace it with
if(!empty($config['secret_pin']) && (empty($mybb->input['pin']) || md5($mybb->input['pin']) != $config['secret_pin']))
- Open
/inc/config.php find
$config['secret_pin'] = 'secret pin';
- replace
secret pin with
md5 encrypt secret pin
sorry, my english is very bad
If you are going to encrypt the pin, you might as well do a stronger hashing algorithm. md5 is certainly not one of the most secure encryption methods and is best for doing checksums.
we can replace md5 with sha1 or other algorithms
(2015-04-15, 02:58 PM)dragonexpert Wrote: [ -> ]If you are going to encrypt the pin, you might as well do a stronger hashing algorithm. md5 is certainly not one of the most secure encryption methods and is best for doing checksums.
why isn't this core though?
(2015-04-15, 04:52 PM)Shemo Wrote: [ -> ] (2015-04-15, 02:58 PM)dragonexpert Wrote: [ -> ]If you are going to encrypt the pin, you might as well do a stronger hashing algorithm. md5 is certainly not one of the most secure encryption methods and is best for doing checksums.
why isn't this core though?
Hashing the PIN code would make the maintenance more difficult as the mechanism is pretty much hard-coded - the administrators would have to use an external tool to compute the hash (while that can be done automatically during the installation, there are no tools to manage that passphrase afterwards).
PIN code suggests a sequence of digits (a short one) and there is no point in hashing it because such a sequence can be guessed (match a plainext to the hash) in realtime, regardless of the algorithm used (the entropy is too poor to provide any kind of protection in that case).
In this case the developers probably assumed that the gap between security and convenience would be too high.