Change Password Encryption

[chaldo]

Hey guys,

Is there any way to salt the md5 or change the type of encryption with vbulletin?

Thanks,
Chaldo

--------------- Added [DATE]1311468086[/DATE] at [TIME]1311468086[/TIME] ---------------

nobody?

[Videx]

I've never heard of anything like that. If you're having some specific problem you may want to search at vb.com for it.

[setishock]

VB4 is md5 with salt.

[chaldo]

Yes but I heard that SHA encryption is better. People told me I can change it but not sure how.

[chaldo]

nobody?

[kh99]

There is no option or single file or function that will allow you to change how the password is encrypted, but I believe there are only a few places where you'd have to change the code to do it. I think right now it uses md5(password . salt), or maybe md5(md5(password). salt), I'm not sure.

Anyway, It looks like the main check is in verify_authentication() in includes/functions_login.php, and there's code for changing the password in profile.php. There are a couple other places that I think just check for passwords the same as the user name (so that if you left those alone you'd just lose that security check). There may be other places that I didn't find.

One other note, I think when the password comes from the browser or a cookie it has another level of md5() that the browser does via js, so that just adds to the confusion.

[Videx]

Quote:

Originally Posted by chaldo

Yes but I heard that SHA encryption is better. People told me I can change it but not sure how.

What's the point? If you hang around the forums a while you'll see a few problems, but people hacking other's passwords isn't one of them. In fact I can't recall ever seeing an instance of it (that couldn't be explained by someone actually hacking into the server). Don't knock yourself out on a problem that doesn't exist.