Hello!
So I'm trying to do some php and check my passwords in the db. I use
this plugin to hash my passwords. I set it to 14 workload regular bcrypt. Now I'm wondering the default mybb formula is:
md5(md5(salt).md5(password))
But how does this plugin change that? What is the formula or how is the stored password made?
(2017-11-05, 10:32 PM)Euan T Wrote: [ -> ]See this file: https://github.com/dvz/mybb-dvzHash/blob...bcrypt.php
If you're using the default bcrypt hash option, then bcrypt is used (via the "password_hash()" function), with a cost of 14.
So if I understand correctly it does this?
$plaintext = md5(md5($salt) . md5($password));
$hash = password_hash($plaintext, PASSWORD_BCRYPT, [
'cost' => 14,
]);
But this gives me the wrong hash. I'm really confused can you please help me?
A
bcrypt output string also includes a salt and cost -
password_hash() in this case will output different values since a different salt is generated each time.
A MyBB-bcrypt hashed password can be verified by generating the default hash using a plaintext value with salt (from the
mybb_users.salt column) and verifying the end
bcrypt hash using
password_verify() by providing the hash generated previously as input (instead of a raw password).
DVZ Hash does the same here:
https://github.com/dvz/mybb-dvzHash/blob...hp#L22-L24
(2017-11-06, 12:16 AM)Devilshakerz Wrote: [ -> ]A bcrypt output string also includes a salt and cost - password_hash() in this case will output different values since a different salt is generated each time.
A MyBB-bcrypt hashed password can be verified by generating the default hash using a plaintext value with salt (from the mybb_users.salt column) and verifying the end bcrypt hash using password_verify() by providing the hash generated previously as input (instead of a raw password).
DVZ Hash does the same here: https://github.com/dvz/mybb-dvzHash/blob...hp#L22-L24
So does it do password_verify(md5(salt).md5(password)) or password_verify(salt.password)?