MyBB Community Forums Community General Discussion Web Development and Administration v
MyBB's Password Encryption Method?

Thread Closed 
Threaded Mode
MyBB's Password Encryption Method?
Spencer Away

Former Staff
Posts: 909
Threads: 89
Joined: Oct 2009
Reputation: 24
#1
Question  2010-08-13, 04:40 AM (This post was last modified: 2010-08-13, 04:48 AM by Spencer.)
Hi,

I'm wanting to use a WordPress plugin ( http://wordpress.org/extend/plugins/exte...ntication/ ) to be able to connect to MyBB's database and authenticate, but I'm stuck.

How does MyBB do its password encryption? The plugin is asking for an encryption method.

Thanks.
[Image: igG319dTu71gT.png]
Find
KuJoe Offline
Posts: 3,761
Threads: 208
Joined: Mar 2007
Reputation: 37
#2
2010-08-13, 04:51 AM
(2010-06-18, 09:34 PM)MattRogowski Wrote: $stored_pass = md5(md5($salt).md5($plain_pass));

Wink
-Joe
AFreeCloud - Free Cloud-Based Web Hosting!
Website Find
CAwesome Offline
Posts: 1,622
Threads: 106
Joined: Oct 2009
Reputation: 41
#3
2010-08-13, 05:18 AM
What's the "salt"?

/encryptionnoob
Find
KuJoe Offline
Posts: 3,761
Threads: 208
Joined: Mar 2007
Reputation: 37
#4
2010-08-13, 05:25 AM
Randomly generated characters.
-Joe
AFreeCloud - Free Cloud-Based Web Hosting!
Website Find
Diogo Parrinha Offline

Former Staff
Posts: 6,835
Threads: 303
Joined: Jun 2007
Reputation: 94
#5
2010-08-13, 10:16 AM 
/**
 * Generates a random salt
 *
 * @return string The salt.
 */
function generate_salt()
{
	return random_str(8);
}

/**
 * Salts a password based on a supplied salt.
 *
 * @param string The md5()'ed password.
 * @param string The salt.
 * @return string The password hash.
 */
function salt_password($password, $salt)
{
	return md5(md5($salt).$password);
}

$pass = $mybb->input['password'];

$md5pass = md5($pass);
$salt = generate_salt();

$salted_pass = salt_password($md5pass, $salt);

The value of $salted_pass is what you find in the database.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
Website Find
TheLifelessOne Offline
Posts: 317
Threads: 26
Joined: Dec 2009
Reputation: 2
#6
2010-08-13, 04:14 PM (This post was last modified: 2010-08-13, 04:16 PM by TheLifelessOne.)
That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

Edit: Also, http://chargen.matasano.com/chargen/2007...out-s.html
Website Find
marines Offline
Posts: 145
Threads: 8
Joined: Jul 2007
Reputation: 7
#7
2010-08-13, 04:18 PM (This post was last modified: 2010-08-13, 04:19 PM by marines.)
Why it seems unsafe? Salted password? You need to crack two MD5 hashes to reveal the password from which first unhashed string has 64 characters. Big Grin Rainbow tables won't be helpful here.
Marines Blog - my techblog
Polish MyBB Support
Website Find
Diogo Parrinha Offline

Former Staff
Posts: 6,835
Threads: 303
Joined: Jun 2007
Reputation: 94
#8
2010-08-13, 04:20 PM
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
Website Find
DougSD Away

Former Staff
Posts: 805
Threads: 52
Joined: Mar 2008
Reputation: 0
#9
2010-08-13, 05:00 PM
I think encrypting two encrypted strings would be pretty safe... Wink
-Doug
1scream Founder
Former MyBB Developer & SQA Member
My Twitter
Website Find
TheLifelessOne Offline
Posts: 317
Threads: 26
Joined: Dec 2009
Reputation: 2
#10
2010-08-13, 05:10 PM
(2010-08-13, 04:20 PM)Pirata Nervo Wrote:
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end

SHA-1 is actually slower (on most systems), and it usually more secure.

(2010-08-13, 05:00 PM)DougSD Wrote: I think encrypting two encrypted strings would be pretty safe... Wink

You should just implement a one-time pad. Toungue

Website Find
Thread Closed 


Forum Jump:


Users browsing this thread: 1 Guest(s)