Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 27 Oct 2005, 22:08
rob30UK rob30UK is offline
 
Join Date: Oct 2005
SHA256 instead of MD5 :: Possible?

Is it possible to switch vBulletin over to using SHA256 hashing instead of MD5?

If so, would it be possible by implementing a plugin, orwould the vBulletin developer framework not allow access at that level.
I really dont want to have to change the php file and nullify support.

Thanks for any help.

Rob
Reply With Quote
  #2  
Old 27 Oct 2005, 22:23
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
I don't see how you could do it without editing a few files. Why would you want to do this ?
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
  #3  
Old 28 Oct 2005, 09:11
rob30UK rob30UK is offline
 
Join Date: Oct 2005
Paul,

I have a large forum that currently uses sha256 hashes for passwords.

I am converting to vBulletin but don't want to ask a few thousand members to use the 'lost password' feature.

I simply need SHA256 and if vBulletin are gonna nullify my support because I need this then so be it (Although it REALLY SHOULD be supported ANYWAY!!)

What vBulletin have to realise is that there are other boards out there with different hashing algo's. They support loads of boards via Impex, yet don't support other boards password algo's..... seems a very needlessly (dare I say lazy...) overlooked point.

Why only go half way?
Reply With Quote
  #4  
Old 22 Nov 2013, 17:58
Eruantien Eruantien is offline
 
Join Date: Jan 2009
This thread is particularly relevant considering the recent security breaches.

Instead of starting a new thread, I would really like to see if getting a SHA256 option can be made viable when using vB.
Reply With Quote
  #5  
Old 22 Nov 2013, 20:51
squidsk's Avatar
squidsk squidsk is offline
 
Join Date: Nov 2010
The recent security problems have nothing to do with which hash function is used.

That being said you'd need to re-write the login system to use a sha-256 scheme including adding in a javascript library that will do the sha hashing on the client side. Additionally there would be encoding considerations to take into account in that you'd have to make sure that the character encoding of the password is maintained between the two forum softwares. There are probably other issues as well.
Reply With Quote
  #6  
Old 23 Nov 2013, 17:14
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
I'm not any kind of expert in password hashing or security, so someone please correct me if I'm wrong, but: I think it may be relevant because my understanding is that the user tables were taken, and some passwords obtained by some kind of guessing (brute force, dictionary, or whatever you call it). This is possible because the md5 algorithm is pretty fast, so a lot of guesses can be made quickly. And if that's true then I understand that crypt() with blowfish is better than just replacing md5() with a call to hash('sha256'...) because blowfish was designed to be slow to make guessing harder.

(Edit: It is true that the hashing algorithm wasn't the cause of the original security breach, maybe that's what squidsk meant).

I think it might be possible to do it using plugins today (things were different when Paul wrote the above comment), but I'm not sure if that's the best way to do it because if you have a need to disable all plugins (or some curious or careless admin disables the product), no one would be able to log in. As for dealing with the browser side of things, I think if you made the algorithm blowfish(md5(password)) then you could leave the browser side of things the same. And if you used blowfish(md5(md5(password).salt)) (where salt is the existing vb salt column) then I think you could also convert the existing passwords instead of making everyone pick a new one. That wouldn't help the OP who wanted to transfer passwords from a different database, but if your concern is security in case the db is stolen then it wouldn't matter. (BTW, "blowfish" isn't a php function, but you get the idea).

In any case, there is a mod that exists here: www.vbulletin.org/forum/showthread.php?t=288450 (which I haven't actually tried). I've been thinking of making one myself because I have a few other features/options I'd like to add (like converting of existing password as I mentioned above).

Last edited by kh99; 23 Nov 2013 at 17:37.
Reply With Quote
  #7  
Old 26 Nov 2013, 07:58
FreshFroot's Avatar
FreshFroot FreshFroot is offline
 
Join Date: Aug 2005
Well even if the breech wasn't an attack via account compromise. The fact is the password hashes were STOLEN. And, they CAN be decrypted with the proper tools, time and effort. Although it would need to be a targeted attack for a certain member to go that far.

As for encryption, SHA1 should be used and I would've though vB5 would have it. Guess one more thing that IB failed at once again....
Reply With Quote
  #8  
Old 26 Nov 2013, 15:13
squidsk's Avatar
squidsk squidsk is offline
 
Join Date: Nov 2010
Originally Posted by FreshFroot View Post
Well even if the breech wasn't an attack via account compromise. The fact is the password hashes were STOLEN. And, they CAN be decrypted with the proper tools, time and effort. Although it would need to be a targeted attack for a certain member to go that far.

As for encryption, SHA1 should be used and I would've though vB5 would have it. Guess one more thing that IB failed at once again....
If the hashes are stolen then the hash function used is irrelevant as with modern graphics cards being used for processing power over a couple of machines brute forcing is not a particularly arduous task, especially as most people do not actually have very good passwords.

Just as a note SHA1 is not considered secure and is recommended to be discontinued by NIST. NIST, in a competition held a couple of years back, selected a new hash function to be SHA3 as SHA2 was no longer deemed to be secure enough for long term use and should not be used as of 2010.
Reply With Quote
  #9  
Old 26 Nov 2013, 16:42
nhawk nhawk is offline
 
Join Date: Jan 2011
People need to remember that MD5 is a one way hash, it can't be decrypted into plain text.

MD5 was found to be insecure for things like security certificates and the like because of the possibility of a collision (duplicate MD5 hashes). It had nothing to do with password storage. Or at least I never saw anything about passwords and MD5 except to warn that the MD5 hash needs to be properly salted.

There are only two ways someone can get the password for vB. One is by brute force. Or more commonly known as guessing until the password guessed equals the MD5 hash. The other, more common way is for someone to use the same password on multiple sites, the clear text password is stolen and then used to access other sites.
Reply With Quote
  #10  
Old 26 Nov 2013, 18:46
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Originally Posted by squidsk View Post
If the hashes are stolen then the hash function used is irrelevant as with modern graphics cards being used for processing power over a couple of machines brute forcing is not a particularly arduous task...
Oh, I see what you meant. Yeah, that makes sense. But my understanding is that bcrypt was made to be slow and to be more difficult to implement using a GPU, by repeating the slower parts of the algorithm many times, so it's an improvement over using a hash algorithm directly. (What I said above wasn't quite correct - it's bcrypt that was designed to be slow, not blowfish, although bcrypt is based on blowfish).

But like you said it's likely passwords were discovered by trying a list of common or known passwords, so maybe using something that takes, for example, 1/2 second for the average server to check still isn't really slow enough to make a difference.

Edit: The first answer here has a good summary: http://security.stackexchange.com/qu...passwords?lq=1

Last edited by kh99; 26 Nov 2013 at 19:13.
Reply With Quote
  #11  
Old 26 Nov 2013, 20:38
squidsk's Avatar
squidsk squidsk is offline
 
Join Date: Nov 2010
Originally Posted by nhawk View Post
People need to remember that MD5 is a one way hash, it can't be decrypted into plain text.

MD5 was found to be insecure for things like security certificates and the like because of the possibility of a collision (duplicate MD5 hashes). It had nothing to do with password storage. Or at least I never saw anything about passwords and MD5 except to warn that the MD5 hash needs to be properly salted.
That's exactly why it shouldn't be used for passwords, especially if you have unlimited number of guesses, because you have offline access to the hash values by downloading the user table, to find a collision. Say your password gets hashed to 12345 in the db, then to brute force your password if I have the hash is just a matter of finding a collision on the hash value of 12345 and I can use the "word" that caused the collision to access your account.

There are only two ways someone can get the password for vB. One is by brute force. Or more commonly known as guessing until the password guessed equals the MD5 hash. The other, more common way is for someone to use the same password on multiple sites, the clear text password is stolen and then used to access other sites.
Technically both of those are brute force, most brute force algorithms try common words or passwords of a particular length before trying all other combinations of that length. As I previously pointed out if someone has accessed the db and has all the hashes then there's no 5 attempts and locked out for 15 minutes preventing brute force attacks to find a collision.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 15:09.

Layout Options | Width: Wide Color: