The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#1
10-27-2005, 09:08 PM
|
|||
|
|||
SHA256 instead of MD5 :: Possible?
Is it possible to switch vBulletin over to using SHA256 hashing instead of MD5?
If so, would it be possible by implementing a plugin, orwould the vBulletin developer framework not allow access at that level. I really dont want to have to change the php file and nullify support. Thanks for any help. Rob 
|
|
#3
10-28-2005, 08:11 AM
|
|||
|
|||
|
Paul,
I have a large forum that currently uses sha256 hashes for passwords. I am converting to vBulletin but don't want to ask a few thousand members to use the 'lost password' feature. I simply need SHA256 and if vBulletin are gonna nullify my support because I need this then so be it (Although it REALLY SHOULD be supported ANYWAY!!) What vBulletin have to realise is that there are other boards out there with different hashing algo's. They support loads of boards via Impex, yet don't support other boards password algo's..... seems a very needlessly (dare I say lazy...) overlooked point. Why only go half way?
|
|
#4
11-22-2013, 05:58 PM
|
|||
|
|||
|
This thread is particularly relevant considering the recent security breaches.
Instead of starting a new thread, I would really like to see if getting a SHA256 option can be made viable when using vB.
|
|
#5
11-22-2013, 08:51 PM
|
||||
|
||||
|
The recent security problems have nothing to do with which hash function is used.
That being said you'd need to re-write the login system to use a sha-256 scheme including adding in a javascript library that will do the sha hashing on the client side. Additionally there would be encoding considerations to take into account in that you'd have to make sure that the character encoding of the password is maintained between the two forum softwares. There are probably other issues as well.
|
|
#6
11-23-2013, 05:14 PM
|
|||
|
|||
|
I'm not any kind of expert in password hashing or security, so someone please correct me if I'm wrong, but: I think it may be relevant because my understanding is that the user tables were taken, and some passwords obtained by some kind of guessing (brute force, dictionary, or whatever you call it). This is possible because the md5 algorithm is pretty fast, so a lot of guesses can be made quickly. And if that's true then I understand that crypt() with blowfish is better than just replacing md5() with a call to hash('sha256'...) because blowfish was designed to be slow to make guessing harder.
(Edit: It is true that the hashing algorithm wasn't the cause of the original security breach, maybe that's what squidsk meant). I think it might be possible to do it using plugins today (things were different when Paul wrote the above comment), but I'm not sure if that's the best way to do it because if you have a need to disable all plugins (or some curious or careless admin disables the product), no one would be able to log in. As for dealing with the browser side of things, I think if you made the algorithm blowfish(md5(password)) then you could leave the browser side of things the same. And if you used blowfish(md5(md5(password).salt)) (where salt is the existing vb salt column) then I think you could also convert the existing passwords instead of making everyone pick a new one. That wouldn't help the OP who wanted to transfer passwords from a different database, but if your concern is security in case the db is stolen then it wouldn't matter. (BTW, "blowfish" isn't a php function, but you get the idea). In any case, there is a mod that exists here: www.vbulletin.org/forum/showthread.php?t=288450 (which I haven't actually tried). I've been thinking of making one myself because I have a few other features/options I'd like to add (like converting of existing password as I mentioned above).
|
|
#7
11-26-2013, 07:58 AM
|
||||
|
||||
|
Well even if the breech wasn't an attack via account compromise. The fact is the password hashes were STOLEN. And, they CAN be decrypted with the proper tools, time and effort. Although it would need to be a targeted attack for a certain member to go that far.
As for encryption, SHA1 should be used and I would've though vB5 would have it. Guess one more thing that IB failed at once again....
|
|
#8
11-26-2013, 03:13 PM
|
||||
|
||||
|
Quote:
Just as a note SHA1 is not considered secure and is recommended to be discontinued by NIST. NIST, in a competition held a couple of years back, selected a new hash function to be SHA3 as SHA2 was no longer deemed to be secure enough for long term use and should not be used as of 2010.
|
|
#9
11-26-2013, 04:42 PM
|
|||
|
|||
|
People need to remember that MD5 is a one way hash, it can't be decrypted into plain text.
MD5 was found to be insecure for things like security certificates and the like because of the possibility of a collision (duplicate MD5 hashes). It had nothing to do with password storage. Or at least I never saw anything about passwords and MD5 except to warn that the MD5 hash needs to be properly salted. There are only two ways someone can get the password for vB. One is by brute force. Or more commonly known as guessing until the password guessed equals the MD5 hash. The other, more common way is for someone to use the same password on multiple sites, the clear text password is stolen and then used to access other sites.
|
|
#10
11-26-2013, 06:46 PM
|
|||
|
|||
|
Quote:
But like you said it's likely passwords were discovered by trying a list of common or known passwords, so maybe using something that takes, for example, 1/2 second for the average server to check still isn't really slow enough to make a difference. Edit: The first answer here has a good summary: http://security.stackexchange.com/qu...passwords?lq=1
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 04:56 PM.