Password hashing function

[Martin Blank]

Well, some of them are clearly in areas where all the local silos have been decommissioned, which are verified by the IAEA and Russian military, so they'd be safer.

Besides, how many guys can honestly say, "Come on inside, baby, and I'll show you my silo?"

[Roberdin]

Ya better hope she's not a blonde.

"What does this button do?"
"NO- "
[Computer Voice] "Target identified: Moscow city centre. ICBM Launch initiatied."

No offence

But seriously, I see nothing wrong with a little paranoia. "I'm not paranoid - they really are after me!"

[Kinetix]

I haven't heard about a phpBB board getting hacked via cookies. Not something that happens often, you know. Most hacks are done by SQL injection, since it's the simplest way once you find a hole.

I highly doubt MD5 will be an issue. The easiest way to secure phpBB is with 2 things, IMO:
1. You have the choice to change your db prefix for a reason. Don't just set it to phpbb_, you can think of something better.
2. Read all get and post vars and match them for SQL injection queries. Such as UNION...

And off-topic, I know we're not to discuss bugs but what's up with the language errors? Alt text for some buttons are SEND_EMAIL and such.

[Kinetix]

Ugh, ignore what I said above about the language errors. I need to learn to search.

[sparkster]

Couldn't be bothered to check usernames but whoever was putting crap on Martin is a toss. Maybe he doesn't have any super sensitive info but what does a little security hurt? I use extensive security on my server and home computer, tell me hwta it hurts? And while you're at it just post your login details to your hosting account...

[Martin Blank]

I said it a year ago -- the attacks would get better. Now there's a program that can come up with a collision hundreds of times faster than I first suggested. Average time to find a collision is about one hour on a 1.6GHz CPU (I'm testing it on my own laptop, which has a 1.6GHz CPU, to validate the claim), and they're looking for further optimizations.

I have looked into simpler options, but unfortunately, they are few and far between. PHP has built-in hash functions for only CRC32, MD5, and SHA1, Building and including the appropriate functions for SHA256 shouldn't be that hard to do, and they wouldn't need to be calculated except on explicit login so load shouldn't be too much of an issue. SHA256, even if found similarly vulnerable to SHA1, is still far, far more secure than SHA1 (2^96 times, assuming no attacks specific to SHA256). Current weaknesses reduce the average chance of collisions in SHA1 from 2^80 to 2^61; similar weaknesses would reduce SHA256 from 2^128 to 2^109 -- still markedly more secure than even the basic SHA1 algorithm.

I should point out, since I didn't before, that obtaining the hashes for users is not impossible. A malicious user could use a SQL injection attack to obtain the information quietly, and then use that information on other locations where the users may go (webmail sites, journals, maybe even banking or other truly sensitive sites). Even worse, a malicious server admin could gain access to the database and be able to come up with usable substitutes for hundreds, even thousands of users, even if the forum admins themselves do not have a malicious cell in their body. Are there more likely modes of attack? Yes, there are. Is this a showstopper? No, it's not. Not yet, anyway. But it's my sincere belief that it should be considered for the 3.2 release.

[Mr.Jester]

"Are there more likely modes of attack? Yes, there are."

I think this will be the case for some time. It is FAR easier to exploit a security hole in one of the hundreds of apps on a server than it is to find a collision in MD5. You are, in the big scheme of things, just as likely to brute force a single password. Not to mention, you would probably take down a server if you were looking for a colission or brute froce. You still have to make the authorization in the first place.

Not to mention, if you are going to hack the admin for a forum and go through the trouble of fighting MD5, WTH are you bothering with the forums admin.. root or any number of other users would be a much better solution. Again, goes to the quote.

This is not to say its should not be ignored, just to say don't overplay the probablility of a sucessful MD5 attack.

[smithy_dll]

You would have to break into the server's software in order to get the MD5 hash in the first place (or be the server administrator).

[Martin Blank]

I think this will be the case for some time. It is FAR easier to exploit a security hole in one of the hundreds of apps on a server than it is to find a collision in MD5.

Collision found on my laptop workstation (1.6GHz CPU, 1GB RAM) in 47 minutes, 3 seconds, using the software at the link I provided running under Cygwin. Not immediately useful, but a lot faster than brute-forcing it.

Not to mention, you would probably take down a server if you were looking for a colission or brute froce. You still have to make the authorization in the first place.

You're thinking very narrowly -- "How do I brute-force this particular use of MD5?" I'm thinking more broadly -- "If I can get these MD5 hashes, then what else outside of this particular forum can I get to using values that return an identical hash?" Your thinking is also rather straightforward, whereas I'm considering this the way that a serious threat would.

Not to mention, if you are going to hack the admin for a forum and go through the trouble of fighting MD5, WTH are you bothering with the forums admin.. root or any number of other users would be a much better solution. Again, goes to the quote.

Gain MD5 hash for a forum admin running his own server, then run it through md5coll, then login as root (or even as him, if he's smart enough to block root SSH login but dumb enough to use a predictable name). There's a fair chance that you'll gain access through duplicate password use, because the server (presuming much of *nix) will take the value sent as the password, find the MD5 hash, and then check it against /etc/shadow. If it matches, he's in.

This is not to say its should not be ignored, just to say don't overplay the probablility of a sucessful MD5 attack.

One should not underplay it, either.

[NeoThermic]

I also have to note, I've been unable to find any links to proof of attacks on input data which is less than 1024 bits. The user of a phpBB system is actually limited to a password of 32 characters, so we are a good deal short on the 1024 bits that seems to be required at minimum for the attacks.

As was noted as well, there's not much you'll be able to go to either. SHA1 needs 4.3.x (not withstanding the fact that SHA1 has nearly the same problems as MD5), while SHA256/512 are not generally avable in PHP.

For phpBB 3.0, this isn't something major to worry about. Who knows though, we might have to consider other ideas for 3.2 or 3.4, but unless something drastic happens, there's not much to go to, and I doubt we will be seeing a switch to SHA256 or higher.

As a final note, as is pointed out in this topic a few times, if you, as an outside attacker, can obtain MD5 hashes, then you've already got enough access to do more than that (such as change passwords, etc). If you're using the same passwords over many diffrent login systems, that isn't the fault of any software, just you.

Food for thought...

NeoThermic