05-03-2015, 03:53 PM
MyBB 1.8 is using MD5 for its password hashing algorithm, which is horribly insecure. Besides collisions residing in MD5 itself, MD* and SHA* were never meant to be used for passwords - they are built for speed, which is not what password hashing needs. Additionally, salting does not resolve this issue, it just makes rainbow table attacks harder.
PHP5.5 and above support password_hash, and it would not be difficult to add a fallback for older versions. password_hash uses bcrypt, which has a lot of advantages including being able to tune the number of iterations and it can not be bruteforced. Also, password_hash handles salting.
$salted_password = md5(md5($this->login_data['salt']).$password);
from https://github.com/mybb/mybb/blob/15c11a...n.php#L177PHP5.5 and above support password_hash, and it would not be difficult to add a fallback for older versions. password_hash uses bcrypt, which has a lot of advantages including being able to tune the number of iterations and it can not be bruteforced. Also, password_hash handles salting.