Password hashing function

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
User avatar
olger901
Registered User
Posts: 536
Joined: Tue May 11, 2004 4:57 pm

Re: Password hashing function

Post by olger901 »

Well they might say php is better nowadays but that doesn't mean it's the best in my opinion Python is superior to php which in the future also could have a big chance in webdesign same with cfm
-

Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Password hashing function

Post by Martin Blank »

I'm always amazed at how threads can be derailed, even after seeing it happen so much on my own board.
Manip wrote:I think anyone that considers this a security problem for PHPbb clearly doesn't remotely understand the new discovery or what a collision is or how many combinations a 64bit hash has.
I'm quite clear on what a collision is (two initial values returning the same hash) and how many combinations are available. However, cryptographic history shows that what often happens when one crack is found, others are able to further exploit that crack (in a research sense) to find bigger flaws.

Right now, an IBM P690 takes 15 seconds to five minutes (according to paper authors Xiaoyun Wang, Dengguo Feng, Xuejia Lai, and Hongbo Yu) to find a second IV for a particular hash, and this works for any given IV.

This may be the first leak in the dam for MD5, especially if some method can be found to reverse the hashing and find an acceptable IV that will provide the given hash.
You can never go home again... but I guess you can shop there.

User avatar
the_dan
Registered User
Posts: 700
Joined: Thu Apr 01, 2004 7:36 pm

Re: Password hashing function

Post by the_dan »

You have to get the hash first, though remember.

I also believe that Snitz stores passwords in plaintext form.

Dan

sparkster
Registered User
Posts: 182
Joined: Mon Jan 05, 2004 1:18 am

Re: Password hashing function

Post by sparkster »

Nothing open source is ever secure in the sense that crackers will always know what they're up against. However while I agree that salting is a great idea I don't believe md5 is by any mean "comprimised". If you actually read the details of what happened rather than just the Slashdot article, you'd know that the collisions were found in sha-1's predecessor, quite an old hash that I don't think PHP even supports.

Apparently we'll find out in a few days whether md5 was broken but I doubt we'll hear anything for a while until the next round of jumped up hype does it's rounds on the tech sites.

Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Password hashing function

Post by Martin Blank »

GRR.

I did read the paper (PDF warning). The collisions in MD5 are quite real, and according to the paper, reproduceable. They include two pairs of 1024-bit messages that produce the same hash. Theoretically, MD5 should not produce collisions in fewer than 2^64 messages on average. The paper shows that they can do this in far fewer attempts.

This is a first weakness; I expect more will follow.
You can never go home again... but I guess you can shop there.

quolo
Registered User
Posts: 5
Joined: Mon Nov 24, 2003 8:40 pm

Re: Password hashing function

Post by quolo »

Martin Blank wrote:Right now, an IBM P690 takes 15 seconds to five minutes (according to paper authors Xiaoyun Wang, Dengguo Feng, Xuejia Lai, and Hongbo Yu) to find a second IV for a particular hash, and this works for any given IV.
Not to derail, but I'm just learning about encryption. What is an IV?

marinedalek
Registered User
Posts: 12
Joined: Mon Aug 23, 2004 10:11 pm

Re: Password hashing function

Post by marinedalek »

Having worked on a hashing algorithm myself, I know that practically all hash routines have collisions. You would need a hash of infinite length, generated by a password of infinite length to have a collision-free hash. We must remember that the hash is for a password on a forum, not for some secret missile launch sequence. If the forum is set up correctly, the only person with access to the hashed password is the administrator, and if he wanted he could easily access the user's account without the password (but I won't say how). Whatever hash, there's always a way around it. MD5 is sufficient for what phpBB does.

Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Password hashing function

Post by Martin Blank »

quolo wrote:Not to derail, but I'm just learning about encryption. What is an IV?
Initial Value. It's the value that's sent into the hashing algorithm to find the result.
marinedalek wrote:We must remember that the hash is for a password on a forum, not for some secret missile launch sequence.
Then why use something as complex as MD5 in the first place? Why not use a simpler method? I don't see this as a justification for using something with a demonstrated weakness.

I'm not calling for an instant move to SHA-512 in phpBB, but awareness of the potential weaknesses is important for planning the future of the system. Suppose someone finds a weakness that allows a couple hundred hours of work by a PC to break it. Suddenly, I have access to any one of several thousand passwords, and chances are that I would be able to use at least some of them to get access to the users other accounts, were I so inclined.

User avatar
AdamR
Registered User
Posts: 71
Joined: Tue Mar 02, 2004 7:51 pm
Location: Tampa, Florida
Contact:

Re: Password hashing function

Post by AdamR »

marinedalek wrote:We must remember that the hash is for a password on a forum, not for some secret missile launch sequence.
Exactly.
Martin Blank wrote:Then why use something as complex as MD5 in the first place? Why not use a simpler method? I don't see this as a justification for using something with a demonstrated weakness.
Seriously, think about it. PHP includes several encryption defaulted functions, all of which are quite secure and close on the same level. Why create a whole new function and algorithm that would produce simpler encryption when you can just use md5() ? I mean, seriously...5 characters.

And also, think about it. If someone knows enough to get ahold of something to figure out the same IV of an MD5 hash, they could most likely get through any backend server security, at which point, they wouldn't need the password to the forum in the first place.

- Adam

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: Password hashing function

Post by psoTFX »

Martin Blank wrote:I'm not calling for an instant move to SHA-512 in phpBB, but awareness of the potential weaknesses is important for planning the future of the system. Suppose someone finds a weakness that allows a couple hundred hours of work by a PC to break it. Suddenly, I have access to any one of several thousand passwords, and chances are that I would be able to use at least some of them to get access to the users other accounts, were I so inclined.
Without wishing to downplay security issues I must admit I too think you're getting rather carried away with this. The vast vast vast majority of users are never "hacked" in any sense, even those running old boards with known vulnerabilities. Why? Because even script kiddies have better things to do and better targets to go after. Thus the idea that thousands of boards (not just phpBB boards I add ... most web systems with authentication use MD5 at some point in the chain) will suddenly all succumb to mass password/autologinid stealing is obviously a non-issue. And as noted, if someone is determined to "get you" there are sometimes easier ways than intercepting and stealing your board password. The number of "I've been hacked!" posts made to our forums which turn out or otherwise appear to be server account issues is not funny (of course web hosts frequently blame phpBB or other software ... after all, it's far easier to blame the user than fix the system :)). IOW even with this newly found issue I'm not terribly concerned at this point on any impact to phpBB per se. Obviously we need to keep an eye on it though.

Post Reply