[MyBB] Improved password encryption.

The real question is why not adopt something like what Linux does with its passwords? (

[To see links please register here]

) and use multiple methods. The method is chosen randomly and NOT included in the password hash, but in a separate field. That way, not only would you need a relational dump but also would need to decipher the algorithm type (and implement it user-defined in MyBB, forcing a complete brute force on password hashes). Hash them 32 times using combinations of the hashing methods.... like maybe md5(bcrypt(bcrypt(salt.password)))

(06-18-2015, 01:47 PM)Vertigo Wrote:

[To see links please register here]

Sorry I went full autism.

No, it's okay. Your post was actually constructive.

(06-20-2015, 01:02 AM)phyrrus9 Wrote:

[To see links please register here]

The real question is why not adopt something like what Linux does with its passwords? (

[To see links please register here]

) and use multiple methods. The method is chosen randomly and NOT included in the password hash, but in a separate field. That way, not only would you need a relational dump but also would need to decipher the algorithm type (and implement it user-defined in MyBB, forcing a complete brute force on password hashes). Hash them 32 times using combinations of the hashing methods.... like maybe md5(bcrypt(bcrypt(salt.password)))

I could probably make an example script for that, it would be interesting to say the least.

(06-20-2015, 01:45 AM)Vertigo Wrote:

[To see links please register here]

I could probably make an example script for that, it would be interesting to say the least.

I encourage that. If you wrote one I could probably see if I can improve it in a way, and maybe we could even write a MyBB plugin for it.

---

Actually, here is an implementation of single hashing with multi order that is configurable.

PHP Code:

<?php
/*
hashes available:
 1. md5
 2. sha1
 3. crc32
 4. sha256
configure with the following:
 0x1 => hash #1
 0x2 => hash #2
 0x4 => hash #3
 0x8 => hash #4
4 hashes are used, they create a 16-bit
hash order. Example:
0x4421 produces (in order)
hash #1 (default MD5)
hash #2 (default SHA-1)
hash #4 (default SHA-256)
hash #4 (default SHA-256)
*/

$hashes = array("md5"   => 0x1,
                "sha1"  => 0x2,
                "crc32" => 0x4,
                "sha256"=> 0x8);
function generate_order($order)
{
        $ret = array();
        for ($i = 0; $i <= 12; $i += 4)
                array_push($ret, ($order >> $i) & 0xF);
        return $ret;
}
function generate_hash($str, $salt, $order)
{
        global $hashes;
        $ret = $salt . $str;
        $ord = generate_order($order);
        foreach ($ord as $d)
                foreach ($hashes as $key => $val)
                        if ($val == $d)
                                $ret = hash($key, $ret, false);
        return $ret;
}

echo generate_hash("test", "blarg", 0x8421) . "\n";
?>

(06-20-2015, 02:22 AM)phyrrus9 Wrote:

[To see links please register here]

I encourage that. If you wrote one I could probably see if I can improve it in a way, and maybe we could even write a MyBB plugin for it.

I can't do MyBB, as I am not to familiar with it.

(06-20-2015, 04:19 AM)Vertigo Wrote:

[To see links please register here]

I can't do MyBB, as I am not to familiar with it.

Well, show me what you got either way.

I've done Bcrypt for my forum, I'll write a tutorial on how to do that; guess you can use that as a starting point.

(06-20-2015, 08:42 AM)Kitsune Wrote:

[To see links please register here]

I've done Bcrypt for my forum, I'll write a tutorial on how to do that; guess you can use that as a starting point.

I'm very interested in reading that if you ever decide to write one.

(10-28-2013, 04:38 AM)Poochy Wrote:

[To see links please register here]

This makes it exceedingly difficult for an attacker to decrypt the password hashes on your forum. I recommend doing this while you have a small amount of members on your forum.

First up, open inc/functions_user.php in your favourite text editor, search for the following function.

PHP Code:

function salt_password($password, $salt)
{
    return md5(md5($salt).$password);
} 


Come up with a random 5 character long combination of letters and numbers, I'm going to use 3g45h in the example.

Modify the above function so that it looks like this:

PHP Code:

function salt_password($password, $salt)
{
    return md5(md5(md5($salt).$password)."3g45h");
} 


It may seem a little overboard, but the security of your members passwords is the most important thing.

Open PHPMyAdmin and navigate to your mybb_users table, manually update each users password, by following the next step.
Open

[To see links please register here]

then enter the users current password hash, with your 5 random characters at the end.

For example.

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Becomes

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Click "Calculate MD5".

Copy the new hash and replace the users old password.

Upload your modified functions_user.php to your server.

Now if an attacker attempts to crack the hashes, it's useless unless they know your 5 random characters.
This would work unless the attacker is skilled, which by guessing the people that hack forums i would said this would work very well, thanks for sharing!

Would this work when the hash method is already changed?

Meh, gues I will have to ask him myself