I'm in the process of creating my own register/login script and I've noticed MyBB does a great job at securing passwords. It uses a different hash for every user. However, I want to get one thing straight. When MyBB protects a password, what order does it go in? To my understanding, it's this order:
Password -> MD5 -> Hash
I'm not sure if that's correct, but I'd like to know.
Now onto my next question, for creating a salt, there's a lot of different methods but I notice MyBB uses it's own function (generate_salt) to do it all. My question is, why not use password_hash? It is built into PHP and is known to be safe.
password_hash
Well that's all the questions I have for today. Please get back to me
(2015-05-13, 10:39 PM)Achilles Wrote: [ -> ]It uses a different hash for every user.
A different
salt in order to prevent dictionary and rainbow table attacks.
Quote:When MyBB protects a password, what order does it go in?
The final password hash is generated with the password and a random salt as input:
md5(md5($salt).md5($password))
Quote:Now onto my next question, for creating a salt, there's a lot of different methods but I notice MyBB uses it's own function (generate_salt) to do it all. My question is, why not use password_hash? It is built into PHP and is known to be safe.
password_hash
password_hash() was introduced in PHP 5.5 - MyBB is expected to run on PHP 5.2 or newer. The algorithm itself will not be changed in the 1.8 series due to compatibility reasons (
bcrypt is planned in 2.0 though).
(2015-05-13, 11:46 PM)Devilshakerz Wrote: [ -> ](bcrypt is planned in 2.0 though).
And I, for one, would fully support this.
BCrypt is used in 2.0. We use the password_compat library there to provide support for it back to PHP 5.4. Using anything less than BCrypt for something written now is a mistake.
Ok! Wow! Thank you for the feedback! Here's my last question.
I don't quite fully understand the new Password_Hash. If MyBB was to include this in MyBB 2.0, would MyBB still use MD5's and Salts?
The reason I ask is because I plan on using Password_Hash, but I'm not sure how to go about it. I'm guessing I'd still use the MyBB order md5(md5($salt).md5($password))
(2015-05-14, 09:09 AM)Achilles Wrote: [ -> ]If MyBB was to include this in MyBB 2.0, would MyBB still use MD5's and Salts?
bcrypt is an alternative solution to using MD5 with a salt. The final
bcrypt output contains salt as well and makes it harder to guess the original password because it takes more resources (processing effort) to generate a hash.
The passwords hashes from 1.8 will need to be regenerated in order to be stored using
bcrypt (e.g. on first login login, when the password is provided).
Quote:The reason I ask is because I plan on using Password_Hash, but I'm not sure how to go about it. I'm guessing I'd still use the MyBB order md5(md5($salt).md5($password))
If you need these to be compatible with MyBB - yes, otherwise the recommendation is to use
bcrypt or similar solutions (e.g.
PBKDF2).