Hello, I chose to use your script to make my community's forum.
As we all know, no script is hacker proof, and some ppl always find ways to get access to database, and then, to the MD5 version of passwords, and there's thousand tools able to crack them.
So, I decided to modify, for my personal use, the parts of the script dealing with the way passwords are crypted, to smoke hackers.
But I dont understand anything in this version ???
I remember that I could easyly change it in your old RC version of the scripit, but now it seems you're using that thing called 'salt' associated with MD5...
I don't know anything about this, so I'm unable to do the modifications.
I don't doubt that this "salt" thing makes the data more secure, but it's still a problem for me, as all the MYBB forums on the net are using the same processus to encrypt passwords...
I prefer somethings that's TOTALLY personnal.
So my question is, how could I modify the code to get passwords encrypted in simple md5, and get rid of this "salt" thing, to start with something I'm able to understand and to use.
Thanks.
PS : Congratulations for the new style you're using, its way more professional and better looking than before
The salt makes the password storage far more secure. We will not modify the code to get rid of the salt again and I would not suggest you modify the code, either. Here's basically what the salt does:
When a user signs up, a random string is generated by a function in MyBB. This string is never shown to anyone and resides in a seperate column in the DB. The password hash of the user in the database is the
md5() of the md5() of the user's password + the md5() of the user's salt. Here's how that would look: md5(md5($salt).$password);.
The idea behind this is that the user's password becomes fortified, so to say. When a user chooses a password such as "dog", it's very easy for a dictionary attack to get access to the system. However, because "dog" (the md5() of it) is mixed with a random string (which is already md5()'ed) and then md5()'ed, the attack will not be able to get access to the system.
I hope I explained this clearly enough, but if you do not understand it still, just tell me
Quote:I don't doubt that this "salt" thing makes the data more secure, but it's still a problem for me, as all the MYBB forums on the net are using the same processus to encrypt passwords...
Whilst that may be the case, if you register on Forum A with the password 'dog' and then on Forum B on the password 'dog' (assuming they are both MyBB!), those sites will both store the password in a completely different format because the randomly generate salts will be different on each forum.
Basically the idea is used for a few reason:
- You register on a forum, the Administrator is a bit dodgy in the fact that he takes your password and manually sets a cookie for some other forums you are registered on. It will not work, because the key and salted passwords are different.
- Even if a member does manage to obtain the value of the 'password' column, it is as good as useless for any other site, and is of no real use to try and bruteforce either to obtain a plain text password- because you're dealing with two strings md5'd and then md5'd together.
One thing I would like to see in the future is the password md5 enhashed 2 times.
Tikitiki, basically it is hashed two times:
md5(md5("my password").md5("salt")).
That is how it is encrypted in the DB.
ah. thats very interesting. I wonder how the concept of md5() works.
edit. Dennis, why not 10, or 20, or 50? LOL
>>>
thats very interesting. I wonder how the concept of md5() works.
<<<
Basically, all what I know about it is that this is an algorithm that converts a value to an another one, coded on 32 bits, and hexadecimal.
But the processus *theorically* can't be reverted, no algorithm can be used to convert a md5 string to the "source".
But the md5 concept ain't that sure, some programs can "bruteforce" a password, by generating random passwords, convert them into md5, and try to match it with the md5 it's trying to crack.
The prog generates a random password : a1a1a1
It converts it into md5 : 123456789abcde....
It compares it to the md5 he's tyring to crack ( does 123456789abcde.... = md5 ? ).
Ect...
So, the bruteforcing prog needs to try thousand, billions of passwords.
But processors are getting more and more powerful, and stuff... So, a computer can now bruteforce a password in, for example, 5 hours, when it took days and days in 1997...
That's why md5 becomes to be unsecure.
Aren't all passwords are vulnarable to bruceforceattacks?
There are more secure methods, like sha1(), but even those are getting reports of being able to be bruteforced pretty quickly. (Even though sha1 hashes have MANY MANY more combinations.)