vb.org Archive
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 4.x Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=245)
-   -   Mini Mods - Secure BCrypt Password Hashing (https://vborg.vbsupport.ru/showthread.php?t=288450)

MegaManSec 09-29-2012 09:05 PM
Oh. I see what you mean. I thought you were referring to hash cracking.
MD5 collisions aren't such a problem in vBulletin, really.

+ Also, it would take a lot longer to find a hash collision...

Adrian Schneider 09-29-2012 09:07 PM
It has nothing to do with vBulletin.

If someone hacks into your server and gets your database dump, they can brute force that to find other possible passwords for your users.

The whole point of BCrypt is to make that impossible by A) being ridiculously slow, and B) being a more crytographically unique hash.

MegaManSec 09-29-2012 09:10 PM
Quote:
Originally Posted by Adrian Schneider (Post 2369628)
It has nothing to do with vBulletin.

If someone hacks into your server and gets your database dump, they can brute force that to find other possible passwords for your users.

The whole point of BCrypt is to make that impossible by A) being ridiculously slow, and B) being a more crytographically unique hash.
Well, BCrypt is not impossible to brute force, it just takes longer, as you've said.


First of all, if they cracked the MD5, what would they get?
They would get the bcrypt value.
Then what? Then they have to crack that.
That's the pointy.

MegaManSec 09-29-2012 09:40 PM
Quote:
Originally Posted by Adrian Schneider (Post 2369628)
It has nothing to do with vBulletin.

If someone hacks into your server and gets your database dump, they can brute force that to find other possible passwords for your users.

The whole point of BCrypt is to make that impossible by A) being ridiculously slow, and B) being a more crytographically unique hash.
Wait, so are you talking about:

Dictionary Attacks, or
Rainbow Tables
or hash collisions?

Hash collisions aren't useful, afaik.. they just let you login to your account(or NOT your account) with more than just one password.

Fluke667 10-02-2012 10:22 PM
NICE :)

this rocks

Skyrider 01-23-2015 02:58 PM
I have a feeling that after using this, the forums login/reset wise is actually much slower.

Dave 01-23-2015 03:04 PM
Quote:
Originally Posted by Skyrider (Post 2534127)
I have a feeling that after using this, the forums login/reset wise is actually much slower.
Generating the password hash with BCrypt is a bit slower than MD5, but you shouldn't notice any difference on the average server.

Note: the slower the algorithm (and amount of iterations/cost), the longer it takes to brute force passwords, which is a good thing.

kh99 01-23-2015 03:24 PM
Quote:
Originally Posted by Skyrider (Post 2534127)
I have a feeling that after using this, the forums login/reset wise is actually much slower.
If you look at the second piece of code posted above there's a "cost" factor which can be adjusted so that users don't see an objectionable delay.

MegaManSec 09-06-2015 10:40 PM
Updated with a method to set passwords :)

ChiNa 09-30-2015 01:33 PM
Great Job and a Very good Idea. I have had my friends vB4.x forums hacked where the hackers later Published all forum Users Usernames, Email, and MD5 Password Hashes out in Public. I know by facts that they hacked their way in by decrypting the Admin Password somehow. And NOT by Brute Forcing their way in. We suspected that they got in because of a Custom Skin installed on the forum that was vulnerable.

I am not saying its not possible to Hack or Decrypt a Password by Brute Forcing, But I would rather Secure my forum and Passwords a bit Extra than just leaving the doors open and Welcome them! At least they would use more time to Crack the Passwords.

Thumbs up and Well Done.

Ps, I asssume you could use the same method for vB3.8. So I hope you will create a version for vBulletin 3.8 Users too.


All times are GMT. The time now is 05:56 PM.
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01217 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete