MyBB's Password Encryption Method?
#11
(2010-08-13, 05:10 PM)TheLifelessOne Wrote:
(2010-08-13, 04:20 PM)Pirata Nervo Wrote:
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end

SHA-1 is actually slower (on most systems), and it usually more secure.

(2010-08-13, 05:00 PM)DougSD Wrote: I think encrypting two encrypted strings would be pretty safe... Wink

You should just implement a one-time pad. Toungue

Just because it's more secure it doesn't mean it can't be cracked. Someone who wants to crack an md5 hash can also crack a sh1 hash. Plus it's not that much secure compared to md5
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
#12
Actually, a proper one-time pad cannot be cracked.

It's impossible if it's done right.
#13
(2010-08-13, 05:28 PM)TheLifelessOne Wrote: Actually, a proper one-time pad cannot be cracked.

It's impossible if it's done right.

I was talking about sha1 not one-time pad
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
#14
Right, my bad.
#15
It's not about the encryption method, it's about how strong the password is.

pass123 could be easily cracked.

a&i:4K756h_+Vb4 couldn't be easily cracked.
No longer involved in the MyBB project.
#16
This is a handy tool to generate and store passwords: http://keepass.info/

I use it all the time.
--Pyridine
#17
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

Edit: Also, http://chargen.matasano.com/chargen/2007...out-s.html

No, it's totally safe. If it was just a simple md5($password) by itself, THAT would be unsafe since reverse-md5 rainbow tables are common these days and easy to generate.

However we couple it with much better entropy (a statistically secure random salt) which makes it essentially impossible to reverse-md5 using rainbow tables. Even if you had the database itself, you would have to brute force every single password in the table because it uses a unique salt for each one. There is no performance speedup you could do.

Even then, if you didn't have a copy of the db, you would need to brute force it from the web interface. This is very very slow because of latency and a firewall or someone would notice the brute force attack and stop it. It would takes hundreds or thousands of years to brute force.
#18
This user has been denied support. This user has been denied support.
For passwords, you have to use Salt no matter how secure the hashing function is.
Security of hashing functions is not about passwords.
#19
(2010-08-13, 02:24 PM)Dylan M. Wrote: Thanks everyone Smile


(2010-08-13, 10:28 AM)faviouz Wrote: Congrats. Big Grin Orange does look good on you, but you need a new matching avatar.

Matching Avatar? You don't think an avatar of code is appropriate for a developer? Big Grin

Maybe the full sized image will change your perspective Wink

html code avatar:

Thank you. Smile
[Image: igG319dTu71gT.png]
#20
Wrong thread?
--Pyridine


Forum Jump:


Users browsing this thread: 1 Guest(s)