MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > Password Encryption from MD5 to SHA1
Full Version: Password Encryption from MD5 to SHA1
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

nobugs

2005-09-10, 04:28 AM
Heya!

I would like to modify the code to change password encryption from the md5 function to the much more secure sha1. Could you tell me what files deal with the encryption and decryption of passwords, so I can change them accordingly.

Thanks.

k776

2005-09-10, 05:13 AM
I guess you could go through each file and mass replace
md5(
with
sha1(
I suppose an encryption setting could be implemented in MyBB to switch between
md5();
to
sha1();
in a later version. Its up to Chris.

Chris Boulton

2005-09-10, 01:42 PM
We will not be changing to SHA1 because contrary to belief it is not as widely supported and for some reason i've noticed that its calculating different hashes for the same values under the same circumstances (different server environments) - and don't ask me how.

MD5 is secure enough and the password encryption in PR2 makes it near impossible for you to get someones password considering several values are hashed into the one.

nobugs

2005-09-10, 02:10 PM
Heya!

I've searched through the files, and found that not all md5 functions are related to user password encryption. Some are just used to create a unique ID or for forum passwords. I decided I only wanted to change user password encryption, and leave all the other md5's alone. This was especially required in some files in admin/, since some debug values were hashed with md5 and compared to hard-coded strings. I didn't want to break that.

For those that are interested, if you want to change user password encryption from md5 to sha1, you should change the following:

In the file usercp.php:

Find:
$logindetails = update_password($mybb->user['uid'], md5($mybb->input['password']), $mybb->user['salt']);
Change to:
$logindetails = update_password($mybb->user['uid'], sha1($mybb->input['password']), $mybb->user['salt']);

In the file member.php:

Find:
$md5password = md5($password);
Change to:
$sha1password = sha1($password);

Find:
$md5password = md5($mybb->input['password']);
Change to:
$sha1password = sha1($mybb->input['password']);

Find:
$saltedpw = salt_password($md5password, $salt);
Change to:
$saltedpw = salt_password($sha1password, $salt);

Find:
$logindetails = update_password($user['uid'], md5($password), $user['salt']);
Change to:
$logindetails = update_password($user['uid'], sha1($password), $user['salt']);

In the file inc/class_sdk.php:

Find:
$query = $this->db->query("SELECT password FROM ".TABLE_PREFIX."users WHERE $uquery AND password='".md5($password)."'");
Change to:
$query = $this->db->query("SELECT password FROM ".TABLE_PREFIX."users WHERE $uquery AND password='".sha1($password)."'");

In the file inc/functions_user.php:

Find:
// Generate a salt for this user and assume the password stored in db is a plain md5 password
Change to:
// Generate a salt for this user and assume the password stored in db is a plain sha1 password

Find:
if(salt_password(md5($password), $user['salt']) == $user['password'])
Change to:
if(salt_password(sha1($password), $user['salt']) == $user['password'])

Find:
// Used to update a password for particular user id in the database (expects password to be md5'd once)
Change to:
// Used to update a password for particular user id in the database (expects password to be sha1'd once)

Find:
// Salt's $password based on $salt (expects $password to be md5'd once)
Change to:
// Salt's $password based on $salt (expects $password to be sha1'd once)

Find:
return md5(md5($salt).$password);
Change to:
return sha1(sha1($salt).$password);

In the file admin/global.php:

Find:
$md5pw = md5($mybb->input['password']);
Change to:
$sha1pw = sha1($mybb->input['password']);

Find:
$lang->invalidlogin_message = sprintf($lang->invalidlogin_message, $mybb->settings['bbname'], $mybb->input['username'], $mybb->input['password'], $md5pw, $ipaddress, $iphost);
Change to:
 $lang->invalidlogin_message = sprintf($lang->invalidlogin_message, $mybb->settings['bbname'], $mybb->input['username'], $mybb->input['password'], $sha1pw, $ipaddress, $iphost);

In the file admin/users.php:

Find:
$md5password = md5($mybb->input['newpassword']);
Change to:
$sha1password = sha1($mybb->input['newpassword']);

Find:
$md5password = salt_password($md5password, $salt);
Change to:
$sha1password = salt_password($sha1password, $salt);

Find:
"password" => $md5password,
Change to:
"password" => $sha1password,

Find:
update_password($user['uid'], md5($mybb->input['newpassword']), $user['salt']);
Change to:
update_password($user['uid'], sha1($mybb->input['newpassword']), $user['salt']);

As you can see in the above modifications, I've also changed variable names and comments for consistency's sake.

Once the above is changed, a user should logout and use the "I forgot my password" feature to have MyBB generate a new sha1 password in the database. After he has logged in with his newly generated random password, he can change it back to his old one in the user panel and all will be fine.

nobugs

2005-09-10, 02:25 PM
Chris Boulton Wrote:We will not be changing to SHA1 because contrary to belief it is not as widely supported and for some reason i've noticed that its calculating different hashes for the same values under the same circumstances (different server environments) - and don't ask me how.
It's supported from PHP 4.3.0 and up. And, like md5, it cannot create different hashes for the same value. This is impossible.

Chris Boulton Wrote:MD5 is secure enough and the password encryption in PR2 makes it near impossible for you to get someones password considering several values are hashed into the one.
The entire salt thing and several values into one hash isn't more secure because once a hacker has access to the password hashes, he also has access to the salts, which are stored right next to it. If he wants to know how the hashes are build and mixed with the salts, all he does is download a copy of MyBB and check out the code. Salting is only more secure if the salt and mix method are undisclosed. If a hacker knows the mix-method and the salt, he can write a wrapper function and still launch easy brute force attacks involving searches for dictionary words.

md5, especially when a hacker has access to rainbow tables, can be cracked within days. Sha1 has not been cracked yet, and rainbow tables aren't available for it yet. Therefore, sha1 is way more secure than md5.

MyBB is the best board nontheless, and I can easily make the modifications myself. Smile

Bill

2005-09-10, 05:52 PM
What are rainbow tables???
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > Password Encryption from MD5 to SHA1