The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
Secure BCrypt Password Hashing Details »» | ||||||||||||||||||||||||||
This is a 'howto' for using bcrypt for your password hashs, instead of the default vBulletin one, which is highly insecure.
Remember, backup your database before doing this!! Quote:
More information about BCrypt can be found here: http://codahale.com/how-to-safely-store-a-password/ - http://phpmaster.com/why-you-should-...red-passwords/ tl;dr: if you want to be moar secure, use bcrypt. " How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password 'password' in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a nanosecond." BEFORE YOU DO THIS, PLEASE CREATE A .PHP FILE WITH THIS IN IT Code:
<?php if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) { echo "CRYPT_BLOWFISH is enabled!"; } else { echo "CRYPT_BLOWFISH is not available"; } /includes/functions.php Add this to the end, just before the footer message. Code:
/** * * Hash 'password' using the crypt() function w/ bcrypt * Use the first 21 characters of the MD5(strrev($salt)) as our bcrypt salt * Return the MD5 return of this crypt() call, to maintain database functionality. The main part of our security is kept(making hashing, thus cracking, longer). * This should always be called like hash_password_bcrypt(md5(md5($password) . $salt), $salt) **/ function hash_password_bcrypt($password, $salt) { //You may set this to your liking. A higher cost means it will take longer for the password to hash. 15 seems to be a good value. $cost = 15; // must be in range 04 - 31 return md5(crypt($password, '$2y$' . $cost . '$' . substr(md5(strrev($salt)),0,21) . '$')); } includes/class_dm_user.php Now.. Find this: Code:
if ($password == md5(md5($this->fetch_field('username')) . $salt)) Code:
if ($password == $this->hash_password($this->fetch_field('username'), $salt)) Then, on the same file, replace this: Code:
return md5($password . $salt); Code:
//No need to md5($password), since it is already md5'd above. return hash_password_bcrypt(md5($password . $salt), $salt); includes/functions_login.php Find this: Code:
$vbulletin->userinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $vbulletin->userinfo['salt']), '') AND $vbulletin->userinfo['password'] != iif($md5password, md5($md5password . $vbulletin->userinfo['salt']), '') AND $vbulletin->userinfo['password'] != iif($md5password_utf, md5($md5password_utf . $vbulletin->userinfo['salt']), '') Code:
$vbulletin->userinfo['password'] != iif($password AND !$md5password, hash_password_bcrypt(md5(md5($password) . $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt']), '') AND $vbulletin->userinfo['password'] != iif($md5password, hash_password_bcrypt(md5($md5password . $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt']), '') AND $vbulletin->userinfo['password'] != iif($md5password_utf, hash_password_bcrypt(md5($md5password_utf. $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt']), '') So effectively, we are hashing the password using the normal vBulletin way of md5(md5($password) . $vbulletin->userinfo['salt']) however after doing that, we then run hash_password_bcrypt() around it. By doing it this way, we can now convert our old hashes to the new bcrypt method. Create a file called "convert.php", with the contents: Code:
<?php require("./global.php"); set_time_limit(0); ini_set('max_execution_time',0); $q = $db->query_read("select userid, username, password, salt from user WHERE password != ''"); echo "Updating " . $db->num_rows($q) . " accounts.<br />\n"; while($r = $db->fetch_array($q)){ $db->query_write("UPDATE user SET password = '" . hash_password_bcrypt($r['password'], $r['salt']) . "' WHERE userid = '" . $r['userid'] . "'"); echo "Updated password for " . htmlspecialchars($r['username']) . "<br />\n"; } echo "Finished.<br />\n"; ?> Show Your Support
|
2 благодарности(ей) от: | ||
Brandon Sheley, ChiNa |
Comments |
#22
|
|||
|
|||
I just wanted to say thank you for creating this. MD5 needs to die a strong death. Do you know how hard it would be to implement on vb3? I have a client that uses it and I would love to get them away from MD5.
|
#23
|
|||
|
|||
OP's explanation should work for vBulletin 3 as well since the code structure is almost the same.
|
#24
|
|||
|
|||
Is it me or does it take longer to log in?
|
#25
|
|||
|
|||
It's a slower algorithm, but you should definitely not notice it. How slow are we talking about? Any other plugins which could affect it?
|
#26
|
|||
|
|||
Quote:
Code:
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/site/public_html/includes/functions_login.php on line 167 Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/site/public_html/includes/functions.php on line 5131 REDIRECTING... Thank you for logging in, admin. Click here if your browser does not automatically redirect you. X VBULLETIN 4.2.1 DEBUG INFORMATION Page Generation 5.55788 seconds Memory Usage 9,080KB Queries Executed 14 (?) More Information Template Usage (16): (1)STANDARD_REDIRECT (1)ad_footer_end (1)ad_footer_start (1)ad_global_above_footer (1)ad_global_below_navbar (1)ad_global_header1 (1)ad_global_header2 (1)ad_navbar_below (1)footer (1)gobutton (1)header (1)headinclude (1)headinclude_bottom (1)navbar_notifications_menubit (1)spacer_close (1)spacer_open Phrase Groups Available (1): global Included Files (20): ./login.php ./global.php ./includes/class_bootstrap.php ./includes/init.php ./includes/class_core.php ./includes/functions.php ./includes/functions_navigation.php ./includes/class_hook.php ./includes/class_bootstrap_framework.php ./vb/vb.php ./vb/phrase.php ./includes/class_friendly_url.php ./includes/functions_facebook.php ./includes/functions_login.php ./includes/functions_misc.php ./includes/functions_notice.php Hooks Called (33): init_startup database_pre_fetch_array database_post_fetch_array fetch_userinfo_query fetch_musername fetch_userinfo global_bootstrap_init_start global_bootstrap_init_complete cache_permissions load_show_variables load_forum_show_variables global_state_check global_bootstrap_complete global_start style_fetch global_setup_complete login_verify_success fetch_session_complete login_process login_redirect redirect_generic cache_templates cache_templates_process template_register_var template_render_output fetch_template_start fetch_template_complete parse_templates notices_check_start friendlyurl_resolve_class friendlyurl_geturl notifications_list process_templates_complete |
#27
|
|||
|
|||
Well my only guess is that you made a mistake somewhere, double check the changes you did and make sure it matches the ones of OP.
|
#28
|
|||
|
|||
Quote:
--- I reverted login time gone back to normal. Do not use this if your board is 10k members plus. |
#29
|
|||
|
|||
I've installed this on boards with 100k+ members, this is not something caused by the script.
|
Thread Tools | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|