MyBB's Password Encryption Method?
#1
Question 
Hi,

I'm wanting to use a WordPress plugin ( http://wordpress.org/extend/plugins/exte...ntication/ ) to be able to connect to MyBB's database and authenticate, but I'm stuck.

How does MyBB do its password encryption? The plugin is asking for an encryption method.

Thanks.
[Image: igG319dTu71gT.png]
#2
(2010-06-18, 09:34 PM)MattRogowski Wrote: $stored_pass = md5(md5($salt).md5($plain_pass));

Wink
-Joe
AFreeCloud - Free Cloud-Based Web Hosting!
#3
What's the "salt"?

/encryptionnoob
#4
Randomly generated characters.
-Joe
AFreeCloud - Free Cloud-Based Web Hosting!
#5
/**
 * Generates a random salt
 *
 * @return string The salt.
 */
function generate_salt()
{
	return random_str(8);
}

/**
 * Salts a password based on a supplied salt.
 *
 * @param string The md5()'ed password.
 * @param string The salt.
 * @return string The password hash.
 */
function salt_password($password, $salt)
{
	return md5(md5($salt).$password);
}

$pass = $mybb->input['password'];

$md5pass = md5($pass);
$salt = generate_salt();

$salted_pass = salt_password($md5pass, $salt);

The value of $salted_pass is what you find in the database.
MyBB-Plugins.com is for sale - check this thread for more information.
#6
That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

Edit: Also, http://chargen.matasano.com/chargen/2007...out-s.html
#7
Why it seems unsafe? Salted password? You need to crack two MD5 hashes to reveal the password from which first unhashed string has 64 characters. Big Grin Rainbow tables won't be helpful here.
#8
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end
MyBB-Plugins.com is for sale - check this thread for more information.
#9
I think encrypting two encrypted strings would be pretty safe... Wink
-Doug
1scream Founder
Former MyBB Developer & SQA Member
My Twitter
#10
(2010-08-13, 04:20 PM)Pirata Nervo Wrote:
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: That seems kinda unsafe.
Wouldn't SHA-1 be more secure?

No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end

SHA-1 is actually slower (on most systems), and it usually more secure.

(2010-08-13, 05:00 PM)DougSD Wrote: I think encrypting two encrypted strings would be pretty safe... Wink

You should just implement a one-time pad. Toungue



Forum Jump:


Users browsing this thread: 1 Guest(s)