PDA

View Full Version : Possible to change encryption used in vB?


MaXeL3G3ND
05-31-2008, 11:15 PM
Hello there,

Today i was wondering, is it possible to change the encryption used in vBulletin,
to f.ex. lets say whirlpool instead? I also wonder how much work would be needed?

I don't want to hear about converting the passwords that are already stored,
i only want to know how hard it is possible to change the encryption used? :)

An example of a strong algorithm which works in PHP5 atleast: (havent tried in PHP4)

echo hash( 'whirlpool', 'test' );
Which spits out test as a 512-bit whirlpool encryption.

Now i just wonder if anyone could guide me just a tiny but in what has to be done?

Cause i can already guess the commands are different if i'm going to try whirlpool.


Thank you for your time.

PS: I wondered which section to put it in, but due to it's about php programming
i thought this section would fit the best.

PPS: Yes i already know html, css, and some php already though i don't do advanced stuff.

MoT3rror
05-31-2008, 11:55 PM
Well you will have to change the md5 encryption in the javascript when any password is submitted. You will also have to modify vB_Session::vB_Session if you want to change how cookies are read in the system. You will also need to modify vB_DataManager_User::hash_password. There is probably more places but that covers a lot right there.

Dismounted
06-01-2008, 09:40 AM
The current hash used in vBulletin is more than enough. And possibly much faster as well.

SEOvB
06-01-2008, 01:07 PM
I think it'd be more hassle then its worth evne though thats not want you wanted to hear. you'd hve to go replace every instance of how the pw is stored, and recalled and all the javascript files. Probably an 11/10 on the hard stuff to do meter

MaXeL3G3ND
06-01-2008, 01:49 PM
Well it sure would be hard work, though Whirlpool is way more safe than md5.
I work with security, and try see how many examples you can find on cracking
whirlpool compared to md5. (i didn't find any, only wordlists and bruteforcing might work).

When compared to speed, it takes 0.005 seconds to spit out an md5 hash aprox.
And when using whirlpool, that takes from 0.005-0.025 seconds aprox, so the
difference is it would be a little slower, compared to that the security on a forum
would suddenly be better.

Thanks anyways for your replies.

@Dismounted --> I'm sorry to say i've seen examples of vB-admin passwords getting
cracked within 7 days several times, and that was strong non-dictionary passwords. :) This is not ment as an offence in anyway. ;)

Marco van Herwaarden
06-02-2008, 09:14 AM
AFAIK the vBulletin multiple salted md5 hashes have not been compromised in any way. Also no rainbow tables exist for the vB hash AFAIK.

If you have information that it could be bruteforced or cracked in anyway, please sent me a PM with the details.

Dismounted
06-03-2008, 04:24 AM
Even dictionary words should not be able to be simply bruteforced.

Simple dictionary word hashed the vBulletin way: 468e7c840e8eb3b2e221dd9caa178d00