Password hashing function

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Password hashing function

Post by Martin Blank »

With the recent discoveries of methods to find collisions in MD5 (and thus find alternate passwords that hash to the same value as checked against the database), are there any plans to move to or have the option to move to something more secure, such as SHA-1 or (since SHA-1 may have serious weaknesses) SHA-256/512?
You can never go home again... but I guess you can shop there.

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: Password hashing function

Post by A_Jelly_Doughnut »

No, because sha1 is only avaliable in php >= 4.3. sha256/512 isn't avaliable at all afaik.
A_Jelly_Doughnut

sparkster
Registered User
Posts: 182
Joined: Mon Jan 05, 2004 1:18 am

Re: Password hashing function

Post by sparkster »

No because as well changing the hashing function would require every user on every upgraded phpBB board reset their password. Unless the devs went for using a salt and blah blah too long a post. Could be done but probably won't be for simplicity.

ybart10
Registered User
Posts: 34
Joined: Sat May 11, 2002 8:52 am
Contact:

Re: Password hashing function

Post by ybart10 »

This last point is not really a problem, since upgrade script can let a mark in database (or in filesystem) to let script use the md5 function rather a new other method. This way, admin can choose what hash method should be used on their forum.

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: Password hashing function

Post by A_Jelly_Doughnut »

It ain't that simple...as per the above poster, you can't magically change an MD5 hash to an SHA-1 hash...at least as long as MD5 remains moderately secure. Besides, the article I saw said that SHA-1 may have the same issues as MD5, but further testing is needed.
A_Jelly_Doughnut

Manip
Registered User
Posts: 11
Joined: Sun Sep 28, 2003 12:17 pm

Re: Password hashing function

Post by Manip »

This discussion is silly, just because Slashdot and other sites have insane titles like 'MD5 has been broken' doesn't make it true or MD5 insecure. Other than wiping out a calculator I have no idea how many possible hash combinations there are in MD5 but the real point is if you go from something which is near impossible to brute force to something which is next to near impossible it is not going to make a great deal of difference.

Lets say two hashes every 100million collide that doesn't make it even slightly less secure than it currently is because any 'cracker' worth his or her weight in gold would be using some kind of intelligent brute forcing method (A~Za~z0~9) which would cut down the combinations before you have to ever deal with the collision problem.

The only people this will help are those that are frankly stupid enough to do a byte by byte brute force using all possible combinations and even then it would take them around 200years.

I think anyone that considers this a security problem for PHPbb clearly doesn't remotely understand the new discovery or what a collision is or how many combinations a 64bit hash has.

User avatar
the_dan
Registered User
Posts: 700
Joined: Thu Apr 01, 2004 7:36 pm

Re: Password hashing function

Post by the_dan »

I know that the newest version of IPB plays around with Salts etc, won't think make the converter a bit difficult to write?

Dan

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: Password hashing function

Post by psoTFX »

Really? IPB 2 uses a salt? Hilarious given the comments certain IPB members levelled at vB when they did this ... really hilarious.

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: Password hashing function

Post by A_Jelly_Doughnut »

@psoTFX: http://area51.phpbb.com/phpBB22/viewtop ... =3&t=15374" target="_blank discusses IPB's salt a bit more :)
A_Jelly_Doughnut

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: Password hashing function

Post by psoTFX »

Invision users need to stop thinking of Matt as some kind of "King" wrt these things ... it grows very very tiring particularly since, IIRC, he no longer programs that board alone.

What he's doing is, AFAIK what Jelsoft implemented for vB3. There was a topic a long(ish) time ago at either thebearspot or foruminsider whereupon an invision supporter (or was it Matt?) laid into one of the vB developers about how useless their use of a salt was ...

Long before that during phpBB 2.0 development I introduced a seperate autologind stored in the DB. In the end it was ditched because if you get the autologinid, whatever it is, you can craft a cookie and gain access as that user ... doesn't matter whether it's the users password or not. Now true I believe IPB require seperate login to the ACP, we don't, but if you're an admin chances are you've got extensive moderator powers ... and it doesn't take too long to do an awful lot of damage just using those.

But all this is just typical of IPB supporters. With Ikonboard all you used to read was "PHP is rubbish, Perl is far superior" ... till Matt decided to start work on a PHP forum (because people were leaving iB in droves as their providers banned its use) ... then they suddenly turned into strict PHP supporters "Perl is so yesterday!" ... really irritates me that does :)

Post Reply