Hi,
I'm wanting to use a WordPress plugin (
http://wordpress.org/extend/plugins/exte...ntication/ ) to be able to connect to MyBB's database and authenticate, but I'm stuck.
How does MyBB do its password encryption? The plugin is asking for an encryption method.
Thanks.
What's the "salt"?
/encryptionnoob
Randomly generated characters.
/**
* Generates a random salt
*
* @return string The salt.
*/
function generate_salt()
{
return random_str(8);
}
/**
* Salts a password based on a supplied salt.
*
* @param string The md5()'ed password.
* @param string The salt.
* @return string The password hash.
*/
function salt_password($password, $salt)
{
return md5(md5($salt).$password);
}
$pass = $mybb->input['password'];
$md5pass = md5($pass);
$salt = generate_salt();
$salted_pass = salt_password($md5pass, $salt);
The value of $salted_pass is what you find in the database.
Why it seems unsafe? Salted password? You need to crack two MD5 hashes to reveal the password from which first unhashed string has 64 characters.
Rainbow tables won't be helpful here.
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: [ -> ]That seems kinda unsafe.
Wouldn't SHA-1 be more secure?
No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end
I think encrypting two encrypted strings would be pretty safe...
(2010-08-13, 04:20 PM)Pirata Nervo Wrote: [ -> ] (2010-08-13, 04:14 PM)TheLifelessOne Wrote: [ -> ]That seems kinda unsafe.
Wouldn't SHA-1 be more secure?
No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end
SHA-1 is actually slower (on most systems), and it usually more secure.
(2010-08-13, 05:00 PM)DougSD Wrote: [ -> ]I think encrypting two encrypted strings would be pretty safe...
You should just implement a
one-time pad.
