Go Back   vb.org Archive > vBulletin Modifications > vBulletin 4.x Modifications > vBulletin 4.x Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Secure BCrypt Password Hashing Details »»
Secure BCrypt Password Hashing
Version: 2.00, by MegaManSec MegaManSec is offline
Developer Last Online: Dec 2016 Show Printable Version Email this Page

Category: Mini Mods - Version: 4.x.x Rating:
Released: 09-28-2012 Last Update: Never Installs: 15
Re-useable Code Code Changes Translations  
No support by the author.

This is a 'howto' for using bcrypt for your password hashs, instead of the default vBulletin one, which is highly insecure.

Remember, backup your database before doing this!!

Quote:
bcrypt is a key derivation function for passwords designed by Niels Provos and David Mazi?res, based on the Blowfish cipher, and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

More information about BCrypt can be found here: http://codahale.com/how-to-safely-store-a-password/ - http://phpmaster.com/why-you-should-...red-passwords/

tl;dr: if you want to be moar secure, use bcrypt.


" How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password 'password' in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a nanosecond."


BEFORE YOU DO THIS, PLEASE CREATE A .PHP FILE WITH THIS IN IT
Code:
<?php
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
    echo "CRYPT_BLOWFISH is enabled!";
}
else {
    echo "CRYPT_BLOWFISH is not available";
}
If it is not available, please contact your host.




/includes/functions.php
Add this to the end, just before the footer message.

Code:
/**
 * 
 * Hash 'password' using the crypt() function w/  bcrypt
 * Use the first 21 characters of the MD5(strrev($salt)) as our bcrypt salt
 * Return the MD5 return of this crypt() call, to maintain database functionality. The main part of our security is kept(making hashing, thus cracking, longer).

 * This should always be called like hash_password_bcrypt(md5(md5($password) . $salt), $salt)
 **/
function hash_password_bcrypt($password, $salt) {
       //You may set this to your liking. A higher cost means it will take longer for the password to hash. 15 seems to be a good value.
       $cost = 15; // must be in range 04 - 31

     return md5(crypt($password, '$2y$' . $cost . '$' . substr(md5(strrev($salt)),0,21) . '$'));

}


includes/class_dm_user.php
Now..

Find this:
Code:
                        if ($password == md5(md5($this->fetch_field('username')) . $salt))
and replace it with this:
Code:
                        if ($password == $this->hash_password($this->fetch_field('username'), $salt))
(Note to self.. Why does the original code use this implicit hashing rather than the hash_password function? hash_password takes cares of md5 stuff already if it's not already md5)


Then, on the same file, replace this:
Code:
return md5($password . $salt);
with this
Code:
//No need to md5($password), since it is already md5'd above.
return hash_password_bcrypt(md5($password . $salt), $salt);



includes/functions_login.php


Find this:
Code:
                       $vbulletin->userinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password, md5($md5password . $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password_utf, md5($md5password_utf . $vbulletin->userinfo['salt']), '')
And replace it with this:

Code:
                       $vbulletin->userinfo['password'] != iif($password AND !$md5password, hash_password_bcrypt(md5(md5($password) . $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password, hash_password_bcrypt(md5($md5password . $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password_utf, hash_password_bcrypt(md5($md5password_utf. $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt']), '')

So effectively, we are hashing the password using the normal vBulletin way of
md5(md5($password) . $vbulletin->userinfo['salt'])
however after doing that, we then run hash_password_bcrypt() around it.

By doing it this way, we can now convert our old hashes to the new bcrypt method.

Create a file called "convert.php", with the contents:
Code:
<?php
require("./global.php");
set_time_limit(0);
ini_set('max_execution_time',0);

$q = $db->query_read("select userid, username, password, salt from user WHERE password != ''");
 
echo "Updating " . $db->num_rows($q) . " accounts.<br />\n";


while($r = $db->fetch_array($q)){
    $db->query_write("UPDATE user SET password = '" . hash_password_bcrypt($r['password'], $r['salt']) . "' WHERE userid = '" . $r['userid'] . "'");
     echo "Updated password for " . htmlspecialchars($r['username']) . "<br />\n";
}
 
echo "Finished.<br />\n";
?>
I recommend running the script in a terminal, however you may be able to run it in a browser. If you run it in the browser, it may time out!

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
2 благодарности(ей) от:
Brandon Sheley, ChiNa

Comments
  #22  
Old 10-24-2015, 06:44 PM
Eruantien Eruantien is offline
 
Join Date: Jan 2009
Posts: 187
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I just wanted to say thank you for creating this. MD5 needs to die a strong death. Do you know how hard it would be to implement on vb3? I have a client that uses it and I would love to get them away from MD5.
Reply With Quote
  #23  
Old 10-24-2015, 07:38 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Eruantien View Post
I just wanted to say thank you for creating this. MD5 needs to die a strong death. Do you know how hard it would be to implement on vb3? I have a client that uses it and I would love to get them away from MD5.
OP's explanation should work for vBulletin 3 as well since the code structure is almost the same.
Reply With Quote
  #24  
Old 01-06-2016, 05:16 PM
EvoDarrenshan EvoDarrenshan is offline
 
Join Date: May 2014
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is it me or does it take longer to log in?
Reply With Quote
  #25  
Old 01-06-2016, 05:18 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It's a slower algorithm, but you should definitely not notice it. How slow are we talking about? Any other plugins which could affect it?
Reply With Quote
  #26  
Old 01-06-2016, 06:13 PM
EvoDarrenshan EvoDarrenshan is offline
 
Join Date: May 2014
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
It's a slower algorithm, but you should definitely not notice it. How slow are we talking about? Any other plugins which could affect it?
I noticed it soon as i done the change like 1-3 seconds difference also when users register it doesn't set the bcrypt algorithm...

Code:
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/site/public_html/includes/functions_login.php on line 167

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/site/public_html/includes/functions.php on line 5131
REDIRECTING...
Thank you for logging in, admin.
Click here if your browser does not automatically redirect you.
X VBULLETIN 4.2.1 DEBUG INFORMATION
Page Generation 5.55788 seconds Memory Usage 9,080KB Queries Executed 14 (?)
More Information
Template Usage (16):
(1)STANDARD_REDIRECT
(1)ad_footer_end
(1)ad_footer_start
(1)ad_global_above_footer
(1)ad_global_below_navbar
(1)ad_global_header1
(1)ad_global_header2
(1)ad_navbar_below
(1)footer
(1)gobutton
(1)header
(1)headinclude
(1)headinclude_bottom
(1)navbar_notifications_menubit
(1)spacer_close
(1)spacer_open 
Phrase Groups Available (1):
global
Included Files (20):
./login.php
./global.php
./includes/class_bootstrap.php
./includes/init.php
./includes/class_core.php
./includes/functions.php
./includes/functions_navigation.php
./includes/class_hook.php
./includes/class_bootstrap_framework.php
./vb/vb.php
./vb/phrase.php
./includes/class_friendly_url.php
./includes/functions_facebook.php
./includes/functions_login.php
./includes/functions_misc.php
./includes/functions_notice.php 
Hooks Called (33):
init_startup
database_pre_fetch_array
database_post_fetch_array
fetch_userinfo_query
fetch_musername
fetch_userinfo
global_bootstrap_init_start
global_bootstrap_init_complete
cache_permissions
load_show_variables
load_forum_show_variables
global_state_check
global_bootstrap_complete
global_start
style_fetch
global_setup_complete
login_verify_success
fetch_session_complete
login_process
login_redirect
redirect_generic
cache_templates
cache_templates_process
template_register_var
template_render_output
fetch_template_start
fetch_template_complete
parse_templates
notices_check_start
friendlyurl_resolve_class
friendlyurl_geturl
notifications_list
process_templates_complete
Reply With Quote
  #27  
Old 01-06-2016, 06:32 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well my only guess is that you made a mistake somewhere, double check the changes you did and make sure it matches the ones of OP.
Reply With Quote
  #28  
Old 01-06-2016, 06:38 PM
EvoDarrenshan EvoDarrenshan is offline
 
Join Date: May 2014
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
Well my only guess is that you made a mistake somewhere, double check the changes you did and make sure it matches the ones of OP.
I've followed it step by step no mistake made, I disabled plugins and generated a result above. Should i revert?

---
I reverted login time gone back to normal. Do not use this if your board is 10k members plus.
Reply With Quote
  #29  
Old 01-07-2016, 12:52 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by EvoDarrenshan View Post
I've followed it step by step no mistake made, I disabled plugins and generated a result above. Should i revert?

---
I reverted login time gone back to normal. Do not use this if your board is 10k members plus.
I've installed this on boards with 100k+ members, this is not something caused by the script.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:07 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04768 seconds
  • Memory Usage 2,327KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (10)bbcode_code
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (9)post_thanks_box
  • (2)post_thanks_box_bit
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (9)post_thanks_postbit_info
  • (8)postbit
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete