The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
05-31-2008, 11:15 PM
|
|||
|
|||
Possible to change encryption used in vB?
Hello there,
Today i was wondering, is it possible to change the encryption used in vBulletin, to f.ex. lets say whirlpool instead? I also wonder how much work would be needed? I don't want to hear about converting the passwords that are already stored, i only want to know how hard it is possible to change the encryption used?  An example of a strong algorithm which works in PHP5 atleast: (havent tried in PHP4) PHP Code:
Now i just wonder if anyone could guide me just a tiny but in what has to be done? Cause i can already guess the commands are different if i'm going to try whirlpool. Thank you for your time. PS: I wondered which section to put it in, but due to it's about php programming i thought this section would fit the best. PPS: Yes i already know html, css, and some php already though i don't do advanced stuff. 
|
|
#2
05-31-2008, 11:55 PM
|
|||
|
|||
|
Well you will have to change the md5 encryption in the javascript when any password is submitted. You will also have to modify vB_Session::vB_Session if you want to change how cookies are read in the system. You will also need to modify vB_DataManager_User::hash_password. There is probably more places but that covers a lot right there.
|
|
#3
06-01-2008, 09:40 AM
|
||||
|
||||
|
The current hash used in vBulletin is more than enough. And possibly much faster as well.
|
|
#4
06-01-2008, 01:07 PM
|
||||
|
||||
|
I think it'd be more hassle then its worth evne though thats not want you wanted to hear. you'd hve to go replace every instance of how the pw is stored, and recalled and all the javascript files. Probably an 11/10 on the hard stuff to do meter
|
|
#5
06-01-2008, 01:49 PM
|
|||
|
|||
|
Well it sure would be hard work, though Whirlpool is way more safe than md5.
I work with security, and try see how many examples you can find on cracking whirlpool compared to md5. (i didn't find any, only wordlists and bruteforcing might work). When compared to speed, it takes 0.005 seconds to spit out an md5 hash aprox. And when using whirlpool, that takes from 0.005-0.025 seconds aprox, so the difference is it would be a little slower, compared to that the security on a forum would suddenly be better. Thanks anyways for your replies. @Dismounted --> I'm sorry to say i've seen examples of vB-admin passwords getting cracked within 7 days several times, and that was strong non-dictionary passwords. This is not ment as an offence in anyway. 
|
|
#6
06-02-2008, 09:14 AM
|
|||
|
|||
|
AFAIK the vBulletin multiple salted md5 hashes have not been compromised in any way. Also no rainbow tables exist for the vB hash AFAIK.
If you have information that it could be bruteforced or cracked in anyway, please sent me a PM with the details.
|
|
#7
06-03-2008, 04:24 AM
|
||||
|
||||
|
Even dictionary words should not be able to be simply bruteforced.
Simple dictionary word hashed the vBulletin way: 468e7c840e8eb3b2e221dd9caa178d00
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 08:20 PM.