MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Web Development and Administration > Securing passwords?
Full Version: Securing passwords?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Achilles

2015-05-13, 10:39 PM
I'm in the process of creating my own register/login script and I've noticed MyBB does a great job at securing passwords. It uses a different hash for every user. However, I want to get one thing straight. When MyBB protects a password, what order does it go in? To my understanding, it's this order:

Password -> MD5 -> Hash

I'm not sure if that's correct, but I'd like to know.

Now onto my next question, for creating a salt, there's a lot of different methods but I notice MyBB uses it's own function (generate_salt) to do it all. My question is, why not use password_hash? It is built into PHP and is known to be safe.
password_hash


Well that's all the questions I have for today. Please get back to me Smile

Devilshakerz

2015-05-13, 11:46 PM
(2015-05-13, 10:39 PM)Achilles Wrote: [ -> ]It uses a different hash for every user.
A different salt in order to prevent dictionary and rainbow table attacks.

Quote:When MyBB protects a password, what order does it go in?
The final password hash is generated with the password and a random salt as input:
md5(md5($salt).md5($password))

Quote:Now onto my next question, for creating a salt, there's a lot of different methods but I notice MyBB uses it's own function (generate_salt) to do it all. My question is, why not use password_hash? It is built into PHP and is known to be safe.
password_hash
password_hash() was introduced in PHP 5.5 - MyBB is expected to run on PHP 5.2 or newer. The algorithm itself will not be changed in the 1.8 series due to compatibility reasons (bcrypt is planned in 2.0 though).

s3_gunzel

2015-05-14, 06:54 AM
(2015-05-13, 11:46 PM)Devilshakerz Wrote: [ -> ](bcrypt is planned in 2.0 though).

And I, for one, would fully support this.

Euan T

2015-05-14, 06:59 AM
BCrypt is used in 2.0. We use the password_compat library there to provide support for it back to PHP 5.4. Using anything less than BCrypt for something written now is a mistake.

Achilles

2015-05-14, 09:09 AM
Ok! Wow! Thank you for the feedback! Here's my last question.

I don't quite fully understand the new Password_Hash. If MyBB was to include this in MyBB 2.0, would MyBB still use MD5's and Salts?

The reason I ask is because I plan on using Password_Hash, but I'm not sure how to go about it. I'm guessing I'd still use the MyBB order md5(md5($salt).md5($password))

Devilshakerz

2015-05-14, 09:27 AM
(2015-05-14, 09:09 AM)Achilles Wrote: [ -> ]If MyBB was to include this in MyBB 2.0, would MyBB still use MD5's and Salts?
bcrypt is an alternative solution to using MD5 with a salt. The final bcrypt output contains salt as well and makes it harder to guess the original password because it takes more resources (processing effort) to generate a hash.
The passwords hashes from 1.8 will need to be regenerated in order to be stored using bcrypt (e.g. on first login login, when the password is provided).

Quote:The reason I ask is because I plan on using Password_Hash, but I'm not sure how to go about it. I'm guessing I'd still use the MyBB order md5(md5($salt).md5($password))
If you need these to be compatible with MyBB - yes, otherwise the recommendation is to use bcrypt or similar solutions (e.g. PBKDF2).
MyBB Community Forums > Community > General Discussion > Web Development and Administration > Securing passwords?