Thread: Mini Mods - Secure BCrypt Password Hashing
View Single Post
  #9  
Old 29 Sep 2012, 21:56
MegaManSec MegaManSec is offline
 
Join Date: Aug 2011
Originally Posted by Adrian Schneider View Post
First off, thanks for trying to make vBulletin more secure. BCrypt is an excellent algorithm and much much better than md5. From my latest research, it's the industry standard.

However - you are going to all this work to properly store the password using BCrypt, but then you md5 it. As soon as you md5 it, you have lost all of that security .

Second - and this is just a future suggestion, you could have the system detect which password hash they are using, and check accordingly. This way you can update peoples passwords to the new system whenever they change their password (and probably mass-email everyone suggesting they do). but still authenticate the old hashes properly. Unfortunately the way it's implemented, nobody will want to use this except for starting new boards. It is possible.

Cheers
Er, once I MD5 it it does not lose security. if anything, it makes it more secure(by 0.00001 of a percent, though)
I'm currently crteating the 'auto-bcrypt' pwd encrypter for it. it'll be done soon.
__________________
I do free vBulletin modification security checks. PM me.
http://services.internot.info/
Reply With Quote