MyBB Community Forums
MyBB's Password Encryption Method? - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community (https://community.mybb.com/forum-12.html)
+--- Forum: General Discussion (https://community.mybb.com/forum-11.html)
+---- Forum: Web Development and Administration (https://community.mybb.com/forum-133.html)
+---- Thread: MyBB's Password Encryption Method? (/thread-75972.html)

Pages: 1 2 3


MyBB's Password Encryption Method? - Spencer - 2010-08-13

Hi,

I'm wanting to use a WordPress plugin ( http://wordpress.org/extend/plugins/external-database-authentication/ ) to be able to connect to MyBB's database and authenticate, but I'm stuck.

How does MyBB do its password encryption? The plugin is asking for an encryption method.

Thanks.


RE: MyBB's Password Encryption Method? - KuJoe - 2010-08-13

(2010-06-18, 09:34 PM)MattRogowski Wrote: $stored_pass = md5(md5($salt).md5($plain_pass));

Wink


RE: MyBB's Password Encryption Method? - CAwesome - 2010-08-13

What's the "salt"?

/encryptionnoob


RE: MyBB's Password Encryption Method? - KuJoe - 2010-08-13

Randomly generated characters.


RE: MyBB's Password Encryption Method? - Diogo Parrinha - 2010-08-13

/**
 * Generates a random salt
 *
 * @return string The salt.
 */
function generate_salt()
{
	return random_str(8);
}

/**
 * Salts a password based on a supplied salt.
 *
 * @param string The md5()'ed password.
 * @param string The salt.
 * @return string The password hash.
 */
function salt_password($password, $salt)
{
	return md5(md5($salt).$password);
}

$pass = $mybb->input['password'];

$md5pass = md5($pass);
$salt = generate_salt();

$salted_pass = salt_password($md5pass, $salt);

The value of $salted_pass is what you find in the database.


RE: MyBB's Password Encryption Method? - TheLifelessOne - 2010-08-13

That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

Edit: Also, http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html


RE: MyBB's Password Encryption Method? - marines - 2010-08-13

Why it seems unsafe? Salted password? You need to crack two MD5 hashes to reveal the password from which first unhashed string has 64 characters. Big Grin Rainbow tables won't be helpful here.


RE: MyBB's Password Encryption Method? - Diogo Parrinha - 2010-08-13

(2010-08-13, 04:14 PM)TheLifelessOne Wrote: That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end


RE: MyBB's Password Encryption Method? - DougSD - 2010-08-13

I think encrypting two encrypted strings would be pretty safe... Wink


RE: MyBB's Password Encryption Method? - TheLifelessOne - 2010-08-13

(2010-08-13, 04:20 PM)Pirata Nervo Wrote:
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end

SHA-1 is actually slower (on most systems), and it usually more secure.

(2010-08-13, 05:00 PM)DougSD Wrote: I think encrypting two encrypted strings would be pretty safe... Wink

You should just implement a one-time pad. Toungue