Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Not Solved [How To?] What encryption does myBB use for passwords?
#1
Not Solved
What encryption/hashing is myBB using for passwords stored in the DB?

What other security features are being used by myBB?


Edit:

Nvm, I checked the code myself and found this...
function salt_password($password, $salt)
{
	return md5(md5($salt).$password);
}

MD5 is super-outdated and deemed unsafe. Updating this to a more secure encryption should be prioritized!

MD5 and SHA-1 are emphatically poor choices for storing passwords. The problem is not their collision-resistance; it's that they're designed to be extremely fast. A modern GPU can attempt upwards of billions of passwords per second when brute-forcing through a list of hashes. This can shred through every possible eight-character alphanumeric password in at most a few days; that's with just one GPU.
Reply
#2
Not Solved
(09-05-2018, 10:57 AM)W13 Wrote: What encryption/hashing is myBB using for passwords stored in the DB?

What other security features are being used by myBB?


Edit:

Nvm, I checked the code myself and found this...
function salt_password($password, $salt)
{
	return md5(md5($salt).$password);
}

MD5 is super-outdated and deemed unsafe. Updating this to a more secure encryption should be prioritized!

MD5 and SHA-1 are emphatically poor choices for storing passwords. The problem is not their collision-resistance; it's that they're designed to be extremely fast. A modern GPU can attempt upwards of billions of passwords per second when brute-forcing through a list of hashes. This can shred through every possible eight-character alphanumeric password in at most a few days; that's with just one GPU.

This PLUGIN solves the problem of the password security.

Take a look at it.
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: y3xr3cj5]
Reply
#3
Not Solved
Yes I know about the plugin, but are there any plans to make this natively a part of myBB?
Reply
#4
Not Solved
Yes, 1.8 has long been "out of touch" with more modern practices and we are bringing out a 1.9 series followed by 1.10 with improvements and new features.
-Ben

Please do not PM me for support. I am looking to be hired for paid services.

You can view my paid services here.
Reply
#5
Not Solved
As passwords are hashed and not encrypted, there is no way to update a stored password without having said password in plain text (eg. upon successful login). The login mechanism will need to use both the old and new algorithms then update the stored password using the new algorithm.
Reply
#6
Not Solved
(09-05-2018, 07:45 PM)laie_techie Wrote: As passwords are hashed and not encrypted, there is no way to update a stored password without having said password in plain text (eg. upon successful login). The login mechanism will need to use both the old and new algorithms then update the stored password using the new algorithm.

Yes, I understand. So, the sooner the better to ensure most people get protected.

(09-05-2018, 06:23 PM)Ben Wrote: Yes, 1.8 has long been "out of touch" with more modern practices and we are bringing out a 1.9 series followed by 1.10 with improvements and new features.

Okay, so I'm gonna delay installing that mod. I'm not a big fan of mods that make drastic changes to the DB / core functions. I much prefer native adoption of such changes to ensure upgrading goes smoothly.
Reply
#7
Not Solved
(09-06-2018, 06:07 AM)W13 Wrote:
(09-05-2018, 07:45 PM)laie_techie Wrote: As passwords are hashed and not encrypted, there is no way to update a stored password without having said password in plain text (eg. upon successful login). The login mechanism will need to use both the old and new algorithms then update the stored password using the new algorithm.

Yes, I understand. So, the sooner the better to ensure most people get protected.

(09-05-2018, 06:23 PM)Ben Wrote: Yes, 1.8 has long been "out of touch" with more modern practices and we are bringing out a 1.9 series followed by 1.10 with improvements and new features.

Okay, so I'm gonna delay installing that mod. I'm not a big fan of mods that make drastic changes to the DB / core functions. I much prefer native adoption of such changes to ensure upgrading goes smoothly.

That plugin that I suggested is working great on my website. 

I've had many users log in with ZERO problems. No one has complained about password issues.

I have the reassurance that all of my user's passwords are protected with the latest encryption available. 

Honestly, I think it will take some time BEFORE MyBB software does catch up to the latest password encryption protocols, in the meantime, the plugin is created by an author ( @Devilshakerz ) who literally knows everything about the MyBB core stuff.
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: y3xr3cj5]
Reply
#8
Not Solved
This user has been denied support. This user has been denied support.
(09-05-2018, 07:45 PM)laie_techie Wrote: there is no way to update a stored password without having said password in plain text

You can daisy-chain the hashes. (The old hash becomes the plain-text password for the new hash.)

Doesn't make the code any prettier but it works fine.
Reply
#9
Not Solved
We know that MD5 is bad, and we definitely want to stop using it. Unfortunately, the MyBB 1.8 series has a commitment to supporting PHP 5.2, which doesn't support any of the methods we'd be looking to move to (eg: BCrypt, or Argon). A future feature release will definitely update the algorithm, as well as improving the way that sessions work and we should see 2FA support for users as well as administrators.
Reply
#10
Not Solved
(09-06-2018, 09:26 PM)Euan T Wrote: We know that MD5 is bad, and we definitely want to stop using it. Unfortunately, the MyBB 1.8 series has a commitment to supporting PHP 5.2, which doesn't support any of the methods we'd be looking to move to (eg: BCrypt, or Argon). A future feature release will definitely update the algorithm, as well as improving the way that sessions work and we should see 2FA support for users as well as administrators.

if (PHP < 5.3) {
 use md5
}else{
 use proper encryption to keep the world safe
}
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)