The Arcive of Official vBulletin Modifications Site.

Reeve of shinra · #1 08-18-2004, 12:20 PM

<a href="http://news.zdnet.co.uk/internet/security/0,39020375,39163876,00.htm" target="_blank">http://news.zdnet.co.uk/internet/sec...9163876,00.htm</a>

The above article (from cnet actually) talks about recently discoved flaws in the MD5 hash and in SHA-1 algorithm that could theoritically make them susceptible to hackers with an array of PC's.

I guess nothing can last forever, but (to keep it vb related), do you think that vb's double hash + salt password routine will put the block on such attempts as this?

j_86 · #2 08-18-2004, 01:06 PM

This is fairly old news.

MD5 hash's are not backward compatiable, and as described in the article, you may get the possibility that one string may hash into the same MD5 signature as a different string - this has always been the base, but is highly unlikely to happen.

26 letters in the alphabet - a md5 string of (12 or 16 characters? I can't remember) means there there are a HUGE number of possible hash keys.

BUT, not to mention, MD5 uses numbers 0 - 9. 10 digits, in any combination coupled with the 26 letters of any combination gives astronomical numbers of possible combinations.

V-bulletin goes on step further, to increase this randomness and thus reducing the odds even more, that the same key is genreated by using SALT.

Nothing is ever secure, but for we typical users, you don't get more secure realtranslation encryption as MD5. ( not to mention + SALT).

Revan · #3 08-18-2004, 01:18 PM

Plus the fact that unless you hold extremely valuable stuff on your forum, hackers wont bother with the abovementioned array of PCs just to break your password

(this was NOT an attempt to undermine the point of Reeve's post, it was PURELY looking at the vB side of the news. (because it was news to me

))

Modin · #4 08-18-2004, 05:16 PM

There's many projects out there who are compiling a list of md5 hashes and their keys. So yeah, nothing is really "uncrackable". Just keep that in mind when you do stuff on the web, and you'll be fine.

AN-net · #5 08-19-2004, 05:15 AM

wow didn't know that but if someone is going to go through millions of factors in the 2x MD5 + SALT just to get a password i would rather give them an award for wasting a significant amount of time on something so unsignifcant as a forum password

Anyways im shocked that SHA-1 is flawed since its a government standard and i dont feel safe knowing a hacker can now hack in and get government info....

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.03421 seconds Memory Usage 2,195KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (5)post_thanks_box (5)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (5)post_thanks_postbit_info (5)postbit (5)postbit_onlinestatus (5)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!