The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
md5 security
When someone users the md5 algourim (sp?) in PHP do they store the md5 word in the sql database and since it is not encodeable when someone inputs a password they run it though md5 and then check to see if the passwords are a match? Is this how it is done? And is this how vBulletin does it?
|
#2
|
|||
|
|||
Yes basically.
When you register, your password is hashed. It can never be unhashed. Therefore when you login, your password you enter is hashed and if the two hashes match, it's a password match. Dave. PS; SP: Algorithm. |
#3
|
||||
|
||||
as for security:
md5 is a standardhashing function, so everyone can use it, and there can be already much lexica's to get the pw from a hash, just because of comparing it with hashes of a word list... to increase security, you should modify the passwordstring with another value before to be prepared of this problem. (vb3 does that afaik) |
#4
|
||||
|
||||
What if you had two passwords which were the same? Would the hash be the same?
- miSt |
#5
|
||||
|
||||
the hash of two identical passwords would alwasy be the same if you use the same hashing function
but if you combine the hashingfunction with the userid, it would be possible to get different values |
#6
|
||||
|
||||
Hmmm does vb do the latter?
|
#7
|
||||
|
||||
i don't know exactly but IIRC nope
|
#8
|
|||
|
|||
FWIW, although hashes are not unique (i.e., two unhashed different strings can create the same MD5 hash), it's extraordinarily, incredibly unlikely that it'll happen.
vB's method: 1. Store an md5 of whatever in the database 2. To authenticate, compare md5(what the user entered on the form) to whatever. |
#9
|
||||
|
||||
So if Bob has a password which was "lalala" and Harry had a passwod which was "lalala" also then they would have the same hash?
- miSt |
#10
|
|||
|
|||
Yes.
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|