vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   md5 security (https://vborg.vbsupport.ru/showthread.php?t=53777)

Serge 06-03-2003 08:57 AM
md5 security
 
When someone users the md5 algourim (sp?) in PHP do they store the md5 word in the sql database and since it is not encodeable when someone inputs a password they run it though md5 and then check to see if the passwords are a match? Is this how it is done? And is this how vBulletin does it?

Davey 06-03-2003 09:11 AM
Yes basically.
When you register, your password is hashed.
It can never be unhashed.
Therefore when you login, your password you enter is hashed and if the two hashes match, it's a password match.

Dave.

PS; SP: Algorithm.

Xenon 06-03-2003 09:15 AM
as for security:
md5 is a standardhashing function, so everyone can use it, and there can be already much lexica's to get the pw from a hash, just because of comparing it with hashes of a word list...

to increase security, you should modify the passwordstring with another value before to be prepared of this problem.
(vb3 does that afaik)

Dean C 06-03-2003 10:26 AM
What if you had two passwords which were the same? Would the hash be the same?

- miSt

Xenon 06-03-2003 10:45 AM
the hash of two identical passwords would alwasy be the same if you use the same hashing function :)

but if you combine the hashingfunction with the userid, it would be possible to get different values ;)

Dean C 06-03-2003 10:53 AM
Hmmm does vb do the latter?

Xenon 06-03-2003 02:15 PM
i don't know exactly but IIRC nope

filburt1 06-03-2003 02:23 PM
FWIW, although hashes are not unique (i.e., two unhashed different strings can create the same MD5 hash), it's extraordinarily, incredibly unlikely that it'll happen.

vB's method:
1. Store an md5 of whatever in the database
2. To authenticate, compare md5(what the user entered on the form) to whatever.

Dean C 06-03-2003 03:22 PM
So if Bob has a password which was "lalala" and Harry had a passwod which was "lalala" also then they would have the same hash?

- miSt

filburt1 06-03-2003 03:26 PM
Yes.

Davey 06-04-2003 05:23 AM
But the user doesn't see that hash, so they are none the wiser.

Dave.

Dean C 06-04-2003 02:37 PM
But on two different boards... the same passwords would have a different hash?

- miSt

filburt1 06-04-2003 03:51 PM
In vB3, yes, because each vB3 installation has a unique "salt" for generating the hash. In vB2, the salt is the same and your hashed password on one board will be the same as your hashed password on another board, if the two passwords themselves are identical.

Dean C 06-04-2003 05:38 PM
So in fact you could de-crypt md5 like any other code if you took the time?

- miSt

Serge 06-05-2003 12:02 AM
I guess if you took the time but from what I hear md5 is not ment to be de-crypted that is why we are compairing the two I guess. Correct me if I'm wrong.

filburt1 06-05-2003 12:03 AM
It's not encrypted or decrypted. Hashing is a one-way algorithm. The only way to effectively "unhash" something is via a brute force attack.

Xenon 06-05-2003 05:08 AM
Dean: as filburt stated, md5 is a hash-algorithm, (speak several different strings will produce the same hash)
so it's mathmatically impossible to decrypt it.
BUT: it is possible to find a way to find matching passwords if you know the hash, but it's a very hard way, just a little faster than bruteforce maybe ;)


All times are GMT. The time now is 10:37 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01011 seconds
  • Memory Usage 1,732KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (17)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete