MyBB Community Forums Extensions Plugins Plugin Development v
dvzHash hashing

Threaded Mode
dvzHash hashing
1234filip Offline
Posts: 13
Threads: 5
Joined: Oct 2017
Reputation: 0
#1
2017-11-05, 10:27 PM
Hello!
So I'm trying to do some php and check my passwords in the db. I use this plugin to hash my passwords. I set it to 14 workload regular bcrypt. Now I'm wondering the default mybb formula is:
md5(md5(salt).md5(password))
But how does this plugin change that? What is the formula or how is the stored password made?
Find
Reply
Euan T Offline

Development

Security

Web
Posts: 15,151
Threads: 241
Joined: Jun 2009
Reputation: 702
#2
2017-11-05, 10:32 PM
See this file: https://github.com/dvz/mybb-dvzHash/blob...bcrypt.php

If you're using the default bcrypt hash option, then bcrypt is used (via the "password_hash()" function), with a cost of 14.
Website Find
Reply
1234filip Offline
Posts: 13
Threads: 5
Joined: Oct 2017
Reputation: 0
#3
2017-11-05, 11:05 PM
(2017-11-05, 10:32 PM)Euan T Wrote: See this file: https://github.com/dvz/mybb-dvzHash/blob...bcrypt.php

If you're using the default bcrypt hash option, then bcrypt is used (via the "password_hash()" function), with a cost of 14.

So if I understand correctly it does this?
$plaintext = md5(md5($salt) . md5($password));
$hash = password_hash($plaintext, PASSWORD_BCRYPT, [
'cost' => 14,
]);
But this gives me the wrong hash. I'm really confused can you please help me?
Find
Reply
Devilshakerz Offline

Security

Devops

Web
Posts: 2,214
Threads: 198
Joined: Jun 2011
Reputation: 218
#4
2017-11-06, 12:16 AM
A bcrypt output string also includes a salt and cost - password_hash() in this case will output different values since a different salt is generated each time.
A MyBB-bcrypt hashed password can be verified by generating the default hash using a plaintext value with salt (from the mybb_users.salt column) and verifying the end bcrypt hash using password_verify() by providing the hash generated previously as input (instead of a raw password).
DVZ Hash does the same here: https://github.com/dvz/mybb-dvzHash/blob...hp#L22-L24
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Find
Reply
1234filip Offline
Posts: 13
Threads: 5
Joined: Oct 2017
Reputation: 0
#5
2017-11-06, 06:49 AM
(2017-11-06, 12:16 AM)Devilshakerz Wrote: A bcrypt output string also includes a salt and cost - password_hash() in this case will output different values since a different salt is generated each time.
A MyBB-bcrypt hashed password can be verified by generating the default hash using a plaintext value with salt (from the mybb_users.salt column) and verifying the end bcrypt hash using password_verify() by providing the hash generated previously as input (instead of a raw password).
DVZ Hash does the same here: https://github.com/dvz/mybb-dvzHash/blob...hp#L22-L24

So does it do password_verify(md5(salt).md5(password)) or password_verify(salt.password)?
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)