What encryption/hashing is myBB using for passwords stored in the DB?
What other security features are being used by myBB?
Edit:
Nvm, I checked the code myself and found this...
function salt_password($password, $salt)
{
return md5(md5($salt).$password);
}
MD5 is super-outdated and deemed unsafe. Updating this to a more secure encryption should be prioritized!
MD5 and SHA-1 are emphatically poor choices for storing passwords. The problem is not their collision-resistance; it's that they're designed to be extremely fast. A modern GPU can attempt upwards of billions of passwords per second when brute-forcing through a list of hashes. This can shred through every possible eight-character alphanumeric password in at most a few days; that's with just one GPU.
(2018-09-05, 10:57 AM)W13 Wrote: [ -> ]What encryption/hashing is myBB using for passwords stored in the DB?
What other security features are being used by myBB?
Edit:
Nvm, I checked the code myself and found this...
function salt_password($password, $salt)
{
return md5(md5($salt).$password);
}
MD5 is super-outdated and deemed unsafe. Updating this to a more secure encryption should be prioritized!
MD5 and SHA-1 are emphatically poor choices for storing passwords. The problem is not their collision-resistance; it's that they're designed to be extremely fast. A modern GPU can attempt upwards of billions of passwords per second when brute-forcing through a list of hashes. This can shred through every possible eight-character alphanumeric password in at most a few days; that's with just one GPU.
This
PLUGIN solves the problem of the password security.
Take a look at it.
Yes I know about the plugin, but are there any plans to make this natively a part of myBB?
Yes, 1.8 has long been "out of touch" with more modern practices and we are bringing out a 1.9 series followed by 1.10 with improvements and new features.
As passwords are hashed and not encrypted, there is no way to update a stored password without having said password in plain text (eg. upon successful login). The login mechanism will need to use both the old and new algorithms then update the stored password using the new algorithm.
(2018-09-05, 07:45 PM)laie_techie Wrote: [ -> ]As passwords are hashed and not encrypted, there is no way to update a stored password without having said password in plain text (eg. upon successful login). The login mechanism will need to use both the old and new algorithms then update the stored password using the new algorithm.
Yes, I understand. So, the sooner the better to ensure most people get protected.
(2018-09-05, 06:23 PM)Ben Wrote: [ -> ]Yes, 1.8 has long been "out of touch" with more modern practices and we are bringing out a 1.9 series followed by 1.10 with improvements and new features.
Okay, so I'm gonna delay installing that mod. I'm not a big fan of mods that make drastic changes to the DB / core functions. I much prefer native adoption of such changes to ensure upgrading goes smoothly.
(2018-09-06, 06:07 AM)W13 Wrote: [ -> ] (2018-09-05, 07:45 PM)laie_techie Wrote: [ -> ]As passwords are hashed and not encrypted, there is no way to update a stored password without having said password in plain text (eg. upon successful login). The login mechanism will need to use both the old and new algorithms then update the stored password using the new algorithm.
Yes, I understand. So, the sooner the better to ensure most people get protected.
(2018-09-05, 06:23 PM)Ben Wrote: [ -> ]Yes, 1.8 has long been "out of touch" with more modern practices and we are bringing out a 1.9 series followed by 1.10 with improvements and new features.
Okay, so I'm gonna delay installing that mod. I'm not a big fan of mods that make drastic changes to the DB / core functions. I much prefer native adoption of such changes to ensure upgrading goes smoothly.
That plugin that I suggested is working great on my website.
I've had many users log in with ZERO problems. No one has complained about password issues.
I have the reassurance that all of my user's passwords are protected with the latest encryption available.
Honestly, I think it will take some time BEFORE MyBB software does catch up to the latest password encryption protocols, in the meantime, the plugin is created by an author ( @Devilshakerz ) who literally knows everything about the MyBB core stuff.
(2018-09-05, 07:45 PM)laie_techie Wrote: [ -> ]there is no way to update a stored password without having said password in plain text
You can daisy-chain the hashes. (The old hash becomes the plain-text password for the new hash.)
Doesn't make the code any prettier but it works fine.
We know that MD5 is bad, and we definitely want to stop using it. Unfortunately, the MyBB 1.8 series has a commitment to supporting PHP 5.2, which doesn't support any of the methods we'd be looking to move to (eg: BCrypt, or Argon). A future feature release will definitely update the algorithm, as well as improving the way that sessions work and we should see 2FA support for users as well as administrators.
(2018-09-06, 09:26 PM)Euan T Wrote: [ -> ]We know that MD5 is bad, and we definitely want to stop using it. Unfortunately, the MyBB 1.8 series has a commitment to supporting PHP 5.2, which doesn't support any of the methods we'd be looking to move to (eg: BCrypt, or Argon). A future feature release will definitely update the algorithm, as well as improving the way that sessions work and we should see 2FA support for users as well as administrators.
if (PHP < 5.3) {
use md5
}else{
use proper encryption to keep the world safe
}