MyBB's Password Encryption Method?
#17
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

Edit: Also, http://chargen.matasano.com/chargen/2007...out-s.html

No, it's totally safe. If it was just a simple md5($password) by itself, THAT would be unsafe since reverse-md5 rainbow tables are common these days and easy to generate.

However we couple it with much better entropy (a statistically secure random salt) which makes it essentially impossible to reverse-md5 using rainbow tables. Even if you had the database itself, you would have to brute force every single password in the table because it uses a unique salt for each one. There is no performance speedup you could do.

Even then, if you didn't have a copy of the db, you would need to brute force it from the web interface. This is very very slow because of latency and a firewall or someone would notice the brute force attack and stop it. It would takes hundreds or thousands of years to brute force.


Messages In This Thread
MyBB's Password Encryption Method? - by Spencer - 2010-08-13, 04:40 AM
RE: MyBB's Password Encryption Method? - by KuJoe - 2010-08-13, 04:51 AM
RE: MyBB's Password Encryption Method? - by KuJoe - 2010-08-13, 05:25 AM
RE: MyBB's Password Encryption Method? - by Ryan Gordon - 2010-08-13, 05:46 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)