Has anyone ever SCrypt everything? PM's, tokens etc? Can't find any material on this, I believe Bcrypt will be obsolete soon (it already kind of is) as its vulnerable to FPGA graphics cards.
I believe Scrypt still struggles with ASIC machines built for cracking Scrypt, but Scrypt (like many crypto currencies) is making use of extra RAM which makes ASICS harder to build.
You realise, of course, that MySQL is designed to be lightweight; not to sop up RAM that isn't being used.
I've never used Scrypt however I've found bcrypt to be sufficient for the moment. Obviously as technology advances there will be a need for improved cryptography but for standard use bcrypt is fine.
(2016-09-15, 03:34 AM)Ben Cousins Wrote: [ -> ]You realise, of course, that MySQL is designed to be lightweight; not to sop up RAM that isn't being used.
It's PHP that "sops up all the RAM"
MySQL just stores the hash, this is nothing to worry about
Perhaps it may not be of use to you, but I'm appauled there is not already an article for this.
(2016-09-15, 03:51 PM)Paradigm Wrote: [ -> ]I've never used Scrypt however I've found bcrypt to be sufficient for the moment. Obviously as technology advances there will be a need for improved cryptography but for standard use bcrypt is fine.
Yes but bcrypt is still vulnerable just like MD5 is to GPU's except bcrypt is vulnerable to a setup that cost only $1000, FPGA where as scrypt is only vulnerable to ASIC which is hard to do with a lot of ram and a setup to decrypt this could cost $10,000.
These systems are vulnerable right now. Scrypt is the best thing we have at the time, the fact MyBB comes with MD5 by default is a joke. Even Scrypt will be replaced eventually
(2016-09-16, 09:09 AM)alfred702 Wrote: [ -> ]Yes but bcrypt is still vulnerable just like MD5 is to GPU's except bcrypt is vulnerable to a setup that cost only $1000, FPGA where as scrypt is only vulnerable to ASIC which is hard to do with a lot of ram and a setup to decrypt this could cost $10,000.
You can brute-force any hashing algorithm unless generating a hash takes an infinite amount time... But checking a password shouldn't takes seconds or even longer.
(2016-09-16, 10:20 AM)StefanT Wrote: [ -> ] (2016-09-16, 09:09 AM)alfred702 Wrote: [ -> ]Yes but bcrypt is still vulnerable just like MD5 is to GPU's except bcrypt is vulnerable to a setup that cost only $1000, FPGA where as scrypt is only vulnerable to ASIC which is hard to do with a lot of ram and a setup to decrypt this could cost $10,000.
You can brute-force any hashing algorithm unless generating a hash takes an infinite amount time... But checking a password shouldn't takes seconds or even longer.
The size of the hash hardly implies added stress on the MySQL side. Checking the password would be just as fast as any other algorithm.
The added stress occurs during the hashing in PHP. In theory, the only thing that could overload your server is users registering. But, if you take user privacy seriously, should you not be willing to pay a bit more if it means your attackers would have to have 100x the budget in order to begin an attack?
The generating part, that could take several seconds depending on the length of your hash.
Perhaps if we used a shorter hash we could find a happy balance between speed and efficency, but right now with how many database compromises there has been in the past 5 years, I think it's appauling MyBB ships with MD5 still. Although Bcrypt is good, I believe Scrypt is better.
(2016-09-16, 09:27 AM)Ben Cousins Wrote: [ -> ] (2016-09-16, 09:09 AM)alfred702 Wrote: [ -> ] (2016-09-15, 03:34 AM)Ben Cousins Wrote: [ -> ]You realise, of course, that MySQL is designed to be lightweight; not to sop up RAM that isn't being used.
It's PHP that "sops up all the RAM"
Same comment applies.
How so?
MyBB 2.0 will use BCrypt by default and we will continue to evaluate new hashing schemes (such as
Argon2) as time goes by.
MyBB 1.x is backwards compatible back to PHP 5.2, and the CRYPT_BLOWFISH implementation before PHP 5.3.7 was broken in PHP - see this security bulletin from PHP themselves:
http://php.net/security/crypt_blowfish.php. This is why
password_compat requires PHP 5.3.7+.
(2016-09-18, 09:33 AM)Euan T Wrote: [ -> ]MyBB 2.0 will use BCrypt by default and we will continue to evaluate new hashing schemes (such as Argon2) as time goes by.
MyBB 1.x is backwards compatible back to PHP 5.2, and the CRYPT_BLOWFISH implementation before PHP 5.3.7 was broken in PHP - see this security bulletin from PHP themselves: http://php.net/security/crypt_blowfish.php. This is why password_compat requires PHP 5.3.7+.
There have been so many security fixes; those versions are vulnerable and should not be used anyways. You shouldn't waste your time worrying about "hosting compatibility"
There are many things wrong with MyBB that makes you guys look sloppy like being able to private message yourself? How did you get away with that? Maybe you need to hire me
(2016-09-19, 04:57 AM)alfred702 Wrote: [ -> ]There have been so many security fixes; those versions are vulnerable and should not be used anyways. You shouldn't waste your time worrying about "hosting compatibility"
MyBB collects anonymous statistics upon installation and the team can see which PHP versions are in use. Regardless of the fact you don't make breaking changes in a bug fix release, a significant amount of MyBB forums in recent years still run on older PHP versions. This is mostly due to hosting providers wanting to make sure legacy scripts run without issue. With MyBB 2.0 the minimum PHP version requirement will be 7.0. This is because it's a full rewrite and the team can make breaking changes.
(2016-09-19, 04:57 AM)alfred702 Wrote: [ -> ]There are many things wrong with MyBB that makes you guys look sloppy like being able to private message yourself? How did you get away with that? Maybe you need to hire me
With that elitist attitude don't expect anyone to take your suggestions seriously. Everyone here is a volunteer developing the project in their free time. Being able to send yourself a PM isn't really a bug, the same way being able to send yourself an email isn't a bug.
If you feel there are many things wrong with MyBB, report them and a team member will review the issue. There's more to being on the team than being able to fix bugs, the team is a group of people who understand the project and its goals.