dvzHash hashing
#1
Hello!
So I'm trying to do some php and check my passwords in the db. I use this plugin to hash my passwords. I set it to 14 workload regular bcrypt. Now I'm wondering the default mybb formula is:
md5(md5(salt).md5(password))
But how does this plugin change that? What is the formula or how is the stored password made?
Reply
#2
See this file: https://github.com/dvz/mybb-dvzHash/blob...bcrypt.php

If you're using the default bcrypt hash option, then bcrypt is used (via the "password_hash()" function), with a cost of 14.
Reply
#3
(2017-11-05, 10:32 PM)Euan T Wrote: See this file: https://github.com/dvz/mybb-dvzHash/blob...bcrypt.php

If you're using the default bcrypt hash option, then bcrypt is used (via the "password_hash()" function), with a cost of 14.

So if I understand correctly it does this?
$plaintext = md5(md5($salt) . md5($password));
$hash = password_hash($plaintext, PASSWORD_BCRYPT, [
'cost' => 14,
]);
But this gives me the wrong hash. I'm really confused can you please help me?
Reply
#4
A bcrypt output string also includes a salt and cost - password_hash() in this case will output different values since a different salt is generated each time.
A MyBB-bcrypt hashed password can be verified by generating the default hash using a plaintext value with salt (from the mybb_users.salt column) and verifying the end bcrypt hash using password_verify() by providing the hash generated previously as input (instead of a raw password).
DVZ Hash does the same here: https://github.com/dvz/mybb-dvzHash/blob...hp#L22-L24
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#5
(2017-11-06, 12:16 AM)Devilshakerz Wrote: A bcrypt output string also includes a salt and cost - password_hash() in this case will output different values since a different salt is generated each time.
A MyBB-bcrypt hashed password can be verified by generating the default hash using a plaintext value with salt (from the mybb_users.salt column) and verifying the end bcrypt hash using password_verify() by providing the hash generated previously as input (instead of a raw password).
DVZ Hash does the same here: https://github.com/dvz/mybb-dvzHash/blob...hp#L22-L24

So does it do password_verify(md5(salt).md5(password)) or password_verify(salt.password)?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)