I've built my own user system, and wish to transfer over MyBB's user database.
However, it doesn't appear as though MyBB is using MD5, just to verify, however - is the password field MD5?
And if so, what exactly is the salt?
random salt is random
password is either md5(md5(password) + md5(salt)) or md5(md5(salt) + md5(password)) i forget
Oh, ok. I'm digging through source files and found it.
:/ My current login system is only md5..
Ok, anyhow - thanks!
Well if you transfer something TO mybb, you can also use just md5 and empty salt. MyBB will then salt it when the transferred user first logs in to MyBB. Probably as a measure to be backward compatible with old versions of MyBB that used unsalted md5.
It's not possible to get the unsalted password out of MyBB though (unless you change code or make a plugin to store the password this way).
Salting MD5 is a good idea in case a hacker ever gets hold of your database... makes it harder to revert to clear text passwords.
Yeah I guess so - I think I'll just salt my password now and use the current MyBB user database.
md5 is vulnerable. sha1 is the best alternative and what the US Government recommends
Don't bring the Government into real security discussions. Especially the US Gvmt. They have major FAILs throughout their history.
True. But I did my research first :p.
It may not be safe for Government use but I doubt it'll pose much risk for applications such as this.
MD5 isn't vulnerable. Only thing people have managed to do is create a massive set of rainbow tables that you can reference a hash against. Which is useful for basic strings like "Hello" and "Goodbye", but if a string is hashed and then hashed again, then hashed with a random string, that poor little original string won't be coming back.
EDIT: Oh, and those compiled rainbow tables only have like 0.000003% of possible hash values. So very little can be referenced.