Search found 6 matches

by visionviper
Tue Mar 13, 2012 4:13 pm
Forum: [3.1/Ascraeus] Merged RFCs
Topic: [RFC] More secure hashing
Replies: 64
Views: 37270

Re: [RFC] Update encryption standards

bantu wrote: Also, this does not seem to be a standardized or well-established password hashing scheme, so I would certainly suggest using bcrypt (which is already provided by phpass, given PHP 5.3) over the approach you proposed.
Doesn't phpass work simply by salting, hashing and looping?
by visionviper
Tue Mar 13, 2012 3:33 pm
Forum: [3.1/Ascraeus] Merged RFCs
Topic: [RFC] More secure hashing
Replies: 64
Views: 37270

Re: [RFC] Update encryption standards

It's time to get phpBB off of using md5 and using stronger encryption standards. What I am proposing is this: When phpBB is installed (or upgraded) it takes a look to see if mcrypt is installed and what encryption is supported. It will then pick the best available (such as AES or Twofish) and uses ...
by visionviper
Sun Feb 05, 2012 12:44 am
Forum: [3.1/Ascraeus] Merged RFCs
Topic: [RFC] More secure hashing
Replies: 64
Views: 37270

Re: [RFC] Update encryption standards

Even moving to SHA-1 would be better than using md5. Why is that so "even"? SHA1 is definitely secure (although by the definition of secure, MD5 is secure as it hasn't been broken yet). These tests aren't fair as I only ran them once, but to crack the hash of "callum$phpBB`" using a popular rainbow...
by visionviper
Sat Feb 04, 2012 8:03 pm
Forum: [3.1/Ascraeus] Merged RFCs
Topic: [RFC] More secure hashing
Replies: 64
Views: 37270

Re: [RFC] Update encryption standards

Will you guys consider moving to something that isn't susceptible to collision attacks or pre-image attacks? SHA-2 can be used for hashing and it doesn't suffer from collision or pre-image attacks. Even moving to SHA-1 would be better than using md5. phpBB could be set up to choose the best hashing ...
by visionviper
Sat Feb 04, 2012 5:35 pm
Forum: [3.1/Ascraeus] Merged RFCs
Topic: [RFC] More secure hashing
Replies: 64
Views: 37270

Re: [RFC] Update encryption standards

Passwords are hashed, not encrypted. We also I believe use phpass for password hashing, therefore the first step would be to check what hashes phpass supports nowadays. Ok, so they are hashed with md5. Either way, it would be nice to see some actual encryption use for the passwords. By moving to an...
by visionviper
Sat Feb 04, 2012 4:44 am
Forum: [3.1/Ascraeus] Merged RFCs
Topic: [RFC] More secure hashing
Replies: 64
Views: 37270

[RFC] Update password hashing algorithm

Note: topic title changed from "Update encryption standards" to reflect the discussion that seems to be taking place more accurately. As I am sure all of you know, phpBB still heavily relies on md5 for password encryption. In the beginning of 2009 US-CERT posted a vulnerability notice about md5. Inc...