Mini Mods - Secure BCrypt Password Hashing

This is a 'howto' for using bcrypt for your password hashs, instead of the default vBulletin one, which is highly insecure.

Remember, backup your database before doing this!!

Quote:

bcrypt is a key derivation function for passwords designed by Niels Provos and David Mazi?res, based on the Blowfish cipher, and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

More information about BCrypt can be found here: http://codahale.com/how-to-safely-store-a-password/ - http://phpmaster.com/why-you-should-...red-passwords/

tl;dr: if you want to be moar secure, use bcrypt.


" How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password 'password' in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a nanosecond."


BEFORE YOU DO THIS, PLEASE CREATE A .PHP FILE WITH THIS IN IT

Code:

<?php
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
    echo "CRYPT_BLOWFISH is enabled!";
}
else {
    echo "CRYPT_BLOWFISH is not available";
}

If it is not available, please contact your host.




/includes/functions.php
Add this to the end, just before the footer message.

Code:

/**
 * 
 * Hash 'password' using the crypt() function w/  bcrypt
 * Use the first 21 characters of the MD5(strrev($salt)) as our bcrypt salt
 * Return the MD5 return of this crypt() call, to maintain database functionality. The main part of our security is kept(making hashing, thus cracking, longer).

 * This should always be called like hash_password_bcrypt(md5(md5($password) . $salt), $salt)
 **/
function hash_password_bcrypt($password, $salt) {
       //You may set this to your liking. A higher cost means it will take longer for the password to hash. 15 seems to be a good value.
       $cost = 15; // must be in range 04 - 31

     return md5(crypt($password, '$2y$' . $cost . '$' . substr(md5(strrev($salt)),0,21) . '$'));

}

includes/class_dm_user.php
Now..

Find this:

Code:

                        if ($password == md5(md5($this->fetch_field('username')) . $salt))

and replace it with this:

Code:

                        if ($password == $this->hash_password($this->fetch_field('username'), $salt))

(Note to self.. Why does the original code use this implicit hashing rather than the hash_password function? hash_password takes cares of md5 stuff already if it's not already md5)


Then, on the same file, replace this:

Code:

return md5($password . $salt);

with this

Code:

//No need to md5($password), since it is already md5'd above.
return hash_password_bcrypt(md5($password . $salt), $salt);

includes/functions_login.php


Find this:

Code:

                       $vbulletin->userinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password, md5($md5password . $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password_utf, md5($md5password_utf . $vbulletin->userinfo['salt']), '')

And replace it with this:

Code:

                       $vbulletin->userinfo['password'] != iif($password AND !$md5password, hash_password_bcrypt(md5(md5($password) . $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password, hash_password_bcrypt(md5($md5password . $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password_utf, hash_password_bcrypt(md5($md5password_utf. $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt']), '')

So effectively, we are hashing the password using the normal vBulletin way of
md5(md5($password) . $vbulletin->userinfo['salt'])
however after doing that, we then run hash_password_bcrypt() around it.

By doing it this way, we can now convert our old hashes to the new bcrypt method.

Create a file called "convert.php", with the contents:

Code:

<?php
require("./global.php");
set_time_limit(0);
ini_set('max_execution_time',0);

$q = $db->query_read("select userid, username, password, salt from user WHERE password != ''");
 
echo "Updating " . $db->num_rows($q) . " accounts.<br />\n";


while($r = $db->fetch_array($q)){
    $db->query_write("UPDATE user SET password = '" . hash_password_bcrypt($r['password'], $r['salt']) . "' WHERE userid = '" . $r['userid'] . "'");
     echo "Updated password for " . htmlspecialchars($r['username']) . "<br />\n";
}
 
echo "Finished.<br />\n";
?>

I recommend running the script in a terminal, however you may be able to run it in a browser. If you run it in the browser, it may time out!

[Eruantien]

I just wanted to say thank you for creating this. MD5 needs to die a strong death. Do you know how hard it would be to implement on vb3? I have a client that uses it and I would love to get them away from MD5.

[Dave]

Quote:

Originally Posted by Eruantien

I just wanted to say thank you for creating this. MD5 needs to die a strong death. Do you know how hard it would be to implement on vb3? I have a client that uses it and I would love to get them away from MD5.

OP's explanation should work for vBulletin 3 as well since the code structure is almost the same.

[EvoDarrenshan]

Is it me or does it take longer to log in?

[Dave]

It's a slower algorithm, but you should definitely not notice it. How slow are we talking about? Any other plugins which could affect it?

[EvoDarrenshan]

Quote:

Originally Posted by Dave

It's a slower algorithm, but you should definitely not notice it. How slow are we talking about? Any other plugins which could affect it?

I noticed it soon as i done the change like 1-3 seconds difference also when users register it doesn't set the bcrypt algorithm...

Code:

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/site/public_html/includes/functions_login.php on line 167

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/site/public_html/includes/functions.php on line 5131
REDIRECTING...
Thank you for logging in, admin.
Click here if your browser does not automatically redirect you.
X VBULLETIN 4.2.1 DEBUG INFORMATION
Page Generation 5.55788 seconds Memory Usage 9,080KB Queries Executed 14 (?)
More Information
Template Usage (16):
(1)STANDARD_REDIRECT
(1)ad_footer_end
(1)ad_footer_start
(1)ad_global_above_footer
(1)ad_global_below_navbar
(1)ad_global_header1
(1)ad_global_header2
(1)ad_navbar_below
(1)footer
(1)gobutton
(1)header
(1)headinclude
(1)headinclude_bottom
(1)navbar_notifications_menubit
(1)spacer_close
(1)spacer_open 
Phrase Groups Available (1):
global
Included Files (20):
./login.php
./global.php
./includes/class_bootstrap.php
./includes/init.php
./includes/class_core.php
./includes/functions.php
./includes/functions_navigation.php
./includes/class_hook.php
./includes/class_bootstrap_framework.php
./vb/vb.php
./vb/phrase.php
./includes/class_friendly_url.php
./includes/functions_facebook.php
./includes/functions_login.php
./includes/functions_misc.php
./includes/functions_notice.php 
Hooks Called (33):
init_startup
database_pre_fetch_array
database_post_fetch_array
fetch_userinfo_query
fetch_musername
fetch_userinfo
global_bootstrap_init_start
global_bootstrap_init_complete
cache_permissions
load_show_variables
load_forum_show_variables
global_state_check
global_bootstrap_complete
global_start
style_fetch
global_setup_complete
login_verify_success
fetch_session_complete
login_process
login_redirect
redirect_generic
cache_templates
cache_templates_process
template_register_var
template_render_output
fetch_template_start
fetch_template_complete
parse_templates
notices_check_start
friendlyurl_resolve_class
friendlyurl_geturl
notifications_list
process_templates_complete

[Dave]

Well my only guess is that you made a mistake somewhere, double check the changes you did and make sure it matches the ones of OP.

[EvoDarrenshan]

Quote:

Originally Posted by Dave

Well my only guess is that you made a mistake somewhere, double check the changes you did and make sure it matches the ones of OP.

I've followed it step by step no mistake made, I disabled plugins and generated a result above. Should i revert?

---
I reverted login time gone back to normal. Do not use this if your board is 10k members plus.

[Dave]

Quote:

Originally Posted by EvoDarrenshan

I've followed it step by step no mistake made, I disabled plugins and generated a result above. Should i revert?

---
I reverted login time gone back to normal. Do not use this if your board is 10k members plus.

I've installed this on boards with 100k+ members, this is not something caused by the script.