PDA

View Full Version : Change Hash Method


Forgott3n
03-08-2008, 10:32 PM
Hello,

I'm looking to change the way my vB hashes the passwords for users. I want to add another md5() around the current method.

How do I go about doing this?

Due to overwhelming attempts (some successful) to retrieve and crack hashes I want to make my hash method original, thereby thwarting hackers.

Thanks!

Dismounted
03-09-2008, 02:27 AM
The current system is more than adequate. The question is, how are people retrieving the hashes in the first place? If you have the login strikes system on, it would take several years to crack the first hash.

Forgott3n
03-09-2008, 02:32 AM
They use a MySQL injection that outputs admin hashes on the page. Then use vB hacking tools they can use their favourite dictionary list and find the password.

[edit] I know vB uses something like md5(md5($password . $salt)); but the tools hackers have circumvent it. If they have the hash, they can match it against a dictionary list.

Dismounted
03-09-2008, 02:48 AM
Then you have a problem if they can inject MySQL, and if they can do that, you'd better start worrying about your whole database, not just your passwords. The exploit probably comes from a vulnerable modification, I suggest disabling all of them until you find the culprit. You seem that you don't know how serious such a vulnerability is.

You can't match such hashes against a dictionary list. I don't think any dictionary has lists of 35 random characters and their non-hashed equivalents...It is true you can do that with single MD5 hashes, but the system vBulletin uses cannot be matched up (easily) with rainbow tables. There is no easy way to "decrypt" hashes, as all hashes are designed to be "one-way". They are normally cracked using rainbow tables, or brute-forcing, which cannot easily be done with vBulletin hashes.