MyBB Community Forums
[Security] Is MyBB using "password_hash" on password system? - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: 1.8 Support (https://community.mybb.com/forum-175.html)
+--- Forum: General Support (https://community.mybb.com/forum-176.html)
+--- Thread: [Security] Is MyBB using "password_hash" on password system? (/thread-213912.html)



Is MyBB using "password_hash" on password system? - CoolSummer300 - 2017-11-04

Hi, I'm just curious about MyBB's security.

So that's why I'm asking is MyBB using "password_hash" on their password system.

Just need to know because I need to make my forums a safe place for visitors.

Thanks for any support!  Sleepy


RE: Is MyBB using "password_hash" on password system? - Robbie626 - 2017-11-04

Hi,

I am not sure if this 7 year old thread would help, you might find it useful.

https://community.mybb.com/thread-75972.html


RE: Is MyBB using "password_hash" on password system? - frostschutz - 2017-11-04

No, it's using a simple salted md5 hash. MyBB still supports PHP versions that do not have "password_hash" yet. (Could use "crypt", but...). As for MyBB's security, the hash only becomes really relevant when a) it's too late already [your forum hacked, your database stolen] and b) users didn't care about their security in the first place by using same passwords everywhere. No excuse to not change it for the sake of changing it, but it does not make your forum any more or less vulnerable.

If you get hacked, no matter how sophisticated your password hash is - users still have to change all their passwords.


RE: Is MyBB using "password_hash" on password system? - Brian. - 2017-11-04

No. Salted MD5 hash.


RE: Is MyBB using "password_hash" on password system? - Euan T - 2017-11-04

Also worth noting is that we recently made some changes to add hooks to allow plugins to more easily modify the core hashing methods. This has given rise to plugins such as Devilshakerz's DVZ Hash: https://github.com/dvz/mybb-dvzHash