[For 1.8] Bcrypt Database Passwords

[kloddant]

I have created a plugin that will convert password hashing to bcrypt for you while still being backwards-compatible with the old md5 method.  It is still in the approval process, but here is where it will be after it gets approved: https://community.mybb.com/mods.php?action=view&pid=831.

A cautionary note: Once the passwords are hashed using Bcrypt, they cannot be unhashed obviously, so even though this plugin can be "turned off", its changes cannot be reversed unless you have a backup database. Use this at your own risk, especially since it is still in development and does not yet have a stable version.

[dragonexpert]

I have created a plugin that will convert password hashing to bcrypt for you while still being backwards-compatible with the old md5 method.  It is still in the approval process, but here is where it will be after it gets approved: https://community.mybb.com/mods.php?action=view&pid=831.

A cautionary note: Once the passwords are hashed using Bcrypt, they cannot be unhashed obviously, so even though this plugin can be "turned off", its changes cannot be reversed unless you have a backup database. Use this at your own risk, especially since it is still in development and does not yet have a stable version.

To mitigate the problem of not being able to go back, I suggest adding a field to the mybb_users table where you store the old password. If your plugin alters the value of the salt column, save that as well because it might be necessary.

[Devilshakerz]

I have created a plugin that will convert password hashing to bcrypt for you while still being backwards-compatible with the old md5 method.  It is still in the approval process, but here is where it will be after it gets approved: https://community.mybb.com/mods.php?action=view&pid=831.

A cautionary note: Once the passwords are hashed using Bcrypt, they cannot be unhashed obviously, so even though this plugin can be "turned off", its changes cannot be reversed unless you have a backup database. Use this at your own risk, especially since it is still in development and does not yet have a stable version.

To mitigate the problem of not being able to go back, I suggest adding a field to the mybb_users table where you store the old password.  If your plugin alters the value of the salt column, save that as well because it might be necessary.

Storing weaker hashes of passwords anywhere defeats the purpose of upgrading the algorithm.

As we'll be aiming at making the 1.8.x branch more stable, improving password hashing will likely be one of security-related changes in the upcoming versions. While it's been said many times that we won't be upgrading 1.8's core hashing scheme due to compatibility issues, I'll be working on core changes that will allow hooking into password generation and checking functions (receiving the full user row from the database, possibly containing information on e.g. the password algorithm used), so plugins would be able to take over the logic.

[kloddant]

To mitigate the problem of not being able to go back, I suggest adding a field to the mybb_users table where you store the old password.  If your plugin alters the value of the salt column, save that as well because it might be necessary.

I briefly considered that, but then I realized that that defeats the whole purpose of doing this, because if someone gets hold of the database and can't get the password from the bcrypt hash, then they can just get it from the old md5 backup. And sure, they might not be able to use that password to log into the site, because they might be different, but they can still use it to try to log into other accounts that that user has on the web or to try to guess at the password for the site based on the old password. The better solution in my mind is to just thoroughly vet this plugin and make sure it works correctly. If individual users want to back up their passwords, they are welcome to do so. In fact, they should be making routine database backups anyway.

---

Also, the plugin does not modify the value of the salt column. Php's password_hash function puts the salt in with the hash, so it is no longer necessary to keep it in a separate column.

---

@Devilshakerz: That is great to know! I'll update the plugin once those new changes are in place so that it will not have to modify the source code after that. Also, in case you or anyone else over there is checking this right now, I just made a minor change yesterday, so make sure to get the latest build.

[matthijs110]

How can I use this with version 1.8.8 ?

[Devilshakerz]

@Devilshakerz: That is great to know!  I'll update the plugin once those new changes are in place so that it will not have to modify the source code after that.  Also, in case you or anyone else over there is checking this right now, I just made a minor change yesterday, so make sure to get the latest build.

I've just submitted the proposed changes to the core - https://github.com/mybb/mybb/pull/2499 with https://github.com/Devilshakerz/mybb-dvzHash (PHP >= 7.0) compatible with those (both are subject to change). Once it's merged I'll start writing a detailed documentation for the plugin.

[hideme]

I installed the plugin mentioned by OP, now I still have the old hash and salt stored in the database. If there would be a database breach it would not help. Why is that, how do I get rid of it & convert everyone's password to bcrypt before removing those fields?

[kloddant]

I installed the plugin mentioned by OP, now I still have the old hash and salt stored in the database. If there would be a database breach it would not help. Why is that, how do I get rid of it & convert everyone's password to bcrypt before removing those fields?

Since everyone's passwords are hashed, you have no way of knowing what they are, so you cannot convert them. When I did this with my installation, I just installed the plugin and then stuck a post at the top of the Software Upgrade thread telling people that they could reset their passwords if they wanted to. Don't remove any fields - that will mess stuff up.

[Josh H.]

@above: Your other option is to bcrypt the md5 hashes and set a needs_upgrade value in the database (in another column) and if the password needs upgrade, make the next login verify by bcrypt(mybb_md5($password)) and if that matches up, then store bcrypt($password) and set needs_upgrade to false (0).

[hideme]

@above: Your other option is to bcrypt the md5 hashes and set a needs_upgrade value in the database (in another column) and if the password needs upgrade, make the next login verify by bcrypt(mybb_md5($password)) and if that matches up, then store bcrypt($password) and set needs_upgrade to false (0).

Are you able to make a tutorial for that? I am kinda new to all this stuff..