Password hashing function

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
NeoThermic
Registered User
Posts: 198
Joined: Fri Jan 02, 2004 3:44 pm
Location: United Kingdom
Contact:

Re: Password hashing function

Post by NeoThermic »

asgl wrote: what about using blowfish with an user-defined salt?
there are lots of libraries written in php that can do this
Blowfish is a block cypher, which does mean that given the key, someone can quickly reverse the results done by the encrpytion. This is not a hashing system, and thus not sutable for such use on a forum (although IIRC OpenBSD uses it for its password storage, ho hum).

As for its strength, blowfish does its work over 16 rounds. Last time I checked, a cryptologist called Vincent Rijmen used a second order differential attack (in short, looking at the input vs the output to work out where the block cypher isn't so random), which managed to expose a weakness in four of the sixteen rounds. Thats the highest anyone's ever gone with blowfish, so it is secure.

NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
asgl
Registered User
Posts: 14
Joined: Fri Aug 29, 2003 9:45 am
Location: Vicenza, Italy
Contact:

Re: Password hashing function

Post by asgl »

NeoThermic wrote: Blowfish is a block cypher, which does mean that given the key, someone can quickly reverse the results done by the encrpytion. This is not a hashing system, and thus not sutable for such use on a forum (although IIRC OpenBSD uses it for its password storage, ho hum).
this is exactly what I meant: the key is generated by the system during the installation and is saved into the config.php file. then, it's used to crypt the password, and you get a pseudo-hash. stealing the key is (teorically) as impossible as is stealing the database password.

P.S: excuse me for my bad English :)
NeoThermic
Registered User
Posts: 198
Joined: Fri Jan 02, 2004 3:44 pm
Location: United Kingdom
Contact:

Re: Password hashing function

Post by NeoThermic »

asgl wrote:
NeoThermic wrote: Blowfish is a block cypher, which does mean that given the key, someone can quickly reverse the results done by the encrpytion. This is not a hashing system, and thus not sutable for such use on a forum (although IIRC OpenBSD uses it for its password storage, ho hum).
this is exactly what I meant: the key is generated by the system during the installation and is saved into the config.php file. then, it's used to crypt the password, and you get a pseudo-hash. stealing the key is (teorically) as impossible as is stealing the database password.

P.S: excuse me for my bad English :)
Yes, but giving the admin the ability to reverse the encryption done on the users passwords is a bad thing, as they do have access to the database. That is most of the reason behind this topic WRT MD5.

Also gives rise to the problem that if a user deletes their config.php accidently, then they have just screwed their whole forum up.

NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Password hashing function

Post by Martin Blank »

asgl wrote: this is exactly what I meant: the key is generated by the system during the installation and is saved into the config.php file. then, it's used to crypt the password, and you get a pseudo-hash. stealing the key is (teorically) as impossible as is stealing the database password.
When we refer to encrypting the password, it's not always correct in the common understanding of the word. The password is, more specifically, hashed. Hashes are, ideally, one-way functions; you apply an algorithm to a given initial value to get a hash for which it is computationally infeasible to get the initial value. The purpose of this is obscuring the original password in such a way that nobody at all could recover it.

Remember: When it comes to passwords, trust no one. My girlfriends do not get my passwords, and my wife (whenever I find one) will not get my passwords. Two people log into my server, but we log in with our own accounts. I have real difficulties with any system that allows recovery of a password (we have to deal with one where I work, and it infuriates me).
You can never go home again... but I guess you can shop there.
Limit-Studios
Registered User
Posts: 11
Joined: Sun Jun 06, 2004 3:56 pm

Re: Password hashing function

Post by Limit-Studios »

I plan to remove MD5 for passwords when phpBB3 is released and change it to SHA256 so i can integrate it with my other existing code. Its not because i don't trust MD5 if just my CMS system uses SHA256.

If phpBB were to change hashing from MD5 in the 3.2, 3.4 or in the future what would it be likely to goto?
code reader
Registered User
Posts: 653
Joined: Wed Sep 21, 2005 3:01 pm

Re: Password hashing function

Post by code reader »

imho, moving from md5 to any other particular hashing algorithm maks as much sense as the old country story about the farm boys that got stuck in the forset in a rainstorm, and rushed to hide under a tree.
one of the boys asked another: "and what shall we do when the tree we hide under will become soaked and will start dripping on us"?, the other boy looked at him with pitty and said: "why, of course, then we will just have to move under another tree!".

what i mean to say is this: if anyone is going to change the current way hashing is done, it has to be by supporting multiple hashing algorithms, and saving in the users table not only the hash, but also the algorithm ans salt.
this way a code can be written with prioritizing different algorithms (eg:

Code: Select all

if (function_exists("best_hashing"))
   use_best_hashing();
else if (function_exists("second_best_hashing"))
   use_second_best_hashing();
etc.
it can even be left to the discretion of board manager, somewhere in the acp.

my point is: arguing now which is the best hashing algorithm is as productive as counting how many angels can dance on the point of a needle.
once a decision is taken to get away from pure md5, all hashing algorithms should be made available, including md5, and including those which do not yet exist when the code is written (remember, php can "eval" stuff), and a board should be capable of seamlessly sliding from use of one algorithm to the next one login at a time.
in short: imho this thread have long since exhausted its useful life.
APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: Password hashing function

Post by APTX »

I'd just watch out with that. If for some reason your server gets updated with a "better" hashing function you could have problems which are difficult to find.

BTW I'd just might say (again I think) that I'd salt any hash becouse of those "rainbow tables" or whatever.
Don't give me my freedom out of pity!
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Password hashing function

Post by Martin Blank »

I'm pulling this one back up not to rekindle the debate, but to mention a new demonstration by Vlastimil Klima of the weakness of MD5.

The code generates a pseudorandom string and finds another string that has the same MD5 hash, and does it in about a minute, give or take (my 1.6GHz notebook averages about 65 seconds). The practical uses for this are less than previous attacks against the scheme, since it doesn't take a given input and the input it does take may be shaped to some extent, but the hash matching is about 50-60 times faster than the last major published attack.

And I thought an hour was fast...
You can never go home again... but I guess you can shop there.
APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: Password hashing function

Post by APTX »

Well that might be a problem. That would make MD5 obsolote in file hashing or digital signatures. The passwords should still be secure unless MD5 becomes decryptable.
I'd still like to see password salting along with any new hashing function that may be used though.
Don't give me my freedom out of pity!
Klors
Registered User
Posts: 95
Joined: Fri Sep 19, 2003 2:08 pm

Re: Password hashing function

Post by Klors »

I dread to think what some people's sleep patterns will be like with the advent of quantum computing... :)
Post Reply