Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
Secure BCrypt Password Hashing Details »
Secure BCrypt Password Hashing
Mod Version: 2.00, by MegaManSec (Member) MegaManSec is offline
Developer Last Online: Dec 2016 I like it Show Printable Version Email this Page

vB Version: 4.x.x Rating: (3 votes - 5.00 average) Installs: 14
Released: 29 Sep 2012 Last Update: Never Downloads: 0
Not Supported Code Changes Re-usable Code Translations  

This is a 'howto' for using bcrypt for your password hashs, instead of the default vBulletin one, which is highly insecure.

Remember, backup your database before doing this!!

bcrypt is a key derivation function for passwords designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

More information about BCrypt can be found here: http://codahale.com/how-to-safely-store-a-password/ - http://phpmaster.com/why-you-should-...red-passwords/

tl;dr: if you want to be moar secure, use bcrypt.


" How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password 'password' in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a nanosecond."


BEFORE YOU DO THIS, PLEASE CREATE A .PHP FILE WITH THIS IN IT

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

If it is not available, please contact your host.




/includes/functions.php
Add this to the end, just before the footer message.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.



includes/class_dm_user.php
Now..

Find this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and replace it with this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

(Note to self.. Why does the original code use this implicit hashing rather than the hash_password function? hash_password takes cares of md5 stuff already if it's not already md5)


Then, on the same file, replace this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

with this

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.




includes/functions_login.php


Find this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

And replace it with this:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


So effectively, we are hashing the password using the normal vBulletin way of
md5(md5($password) . $vbulletin->userinfo['salt'])
however after doing that, we then run hash_password_bcrypt() around it.

By doing it this way, we can now convert our old hashes to the new bcrypt method.

Create a file called "convert.php", with the contents:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I recommend running the script in a terminal, however you may be able to run it in a browser. If you run it in the browser, it may time out!

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
  #16  
Old 23 Jan 2015, 16:58
Skyrider Skyrider is offline
 
Join Date: Feb 2006
I have a feeling that after using this, the forums login/reset wise is actually much slower.
Reply With Quote
  #17  
Old 23 Jan 2015, 17:04
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Originally Posted by Skyrider View Post
I have a feeling that after using this, the forums login/reset wise is actually much slower.
Generating the password hash with BCrypt is a bit slower than MD5, but you shouldn't notice any difference on the average server.

Note: the slower the algorithm (and amount of iterations/cost), the longer it takes to brute force passwords, which is a good thing.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #18  
Old 23 Jan 2015, 17:24
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Originally Posted by Skyrider View Post
I have a feeling that after using this, the forums login/reset wise is actually much slower.
If you look at the second piece of code posted above there's a "cost" factor which can be adjusted so that users don't see an objectionable delay.

Last edited by kh99; 23 Jan 2015 at 17:42.
Reply With Quote
  #19  
Old 07 Sep 2015, 01:40
MegaManSec MegaManSec is offline
 
Join Date: Aug 2011
Updated with a method to set passwords
__________________
I do free vBulletin modification security checks. PM me.
http://services.internot.info/
Reply With Quote
  #20  
Old 30 Sep 2015, 16:33
ChiNa ChiNa is offline
 
Join Date: Jul 2012
Real name: CM
Great Job and a Very good Idea. I have had my friends vB4.x forums hacked where the hackers later Published all forum Users Usernames, Email, and MD5 Password Hashes out in Public. I know by facts that they hacked their way in by decrypting the Admin Password somehow. And NOT by Brute Forcing their way in. We suspected that they got in because of a Custom Skin installed on the forum that was vulnerable.

I am not saying its not possible to Hack or Decrypt a Password by Brute Forcing, But I would rather Secure my forum and Passwords a bit Extra than just leaving the doors open and Welcome them! At least they would use more time to Crack the Passwords.

Thumbs up and Well Done.

Ps, I asssume you could use the same method for vB3.8. So I hope you will create a version for vBulletin 3.8 Users too.
__________________
I am having a little break from vB Developing. I am trying to finish my PHP and MYSQL courses for now. I will answer all my PM's if anyone needed help for my products, but only when I can be online on vB.org. Its great to see new and old developers keeping vB.org alive! Thank you all for your support!CM

Last edited by ChiNa; 30 Sep 2015 at 16:43.
Reply With Quote
  #21  
Old 24 Oct 2015, 21:44
Eruantien Eruantien is offline
 
Join Date: Jan 2009
I just wanted to say thank you for creating this. MD5 needs to die a strong death. Do you know how hard it would be to implement on vb3? I have a client that uses it and I would love to get them away from MD5.
Reply With Quote
  #22  
Old 24 Oct 2015, 22:38
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Originally Posted by Eruantien View Post
I just wanted to say thank you for creating this. MD5 needs to die a strong death. Do you know how hard it would be to implement on vb3? I have a client that uses it and I would love to get them away from MD5.
OP's explanation should work for vBulletin 3 as well since the code structure is almost the same.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #23  
Old 06 Jan 2016, 19:16
EvoDarrenshan EvoDarrenshan is offline
 
Join Date: May 2014
Is it me or does it take longer to log in?
Reply With Quote
  #24  
Old 06 Jan 2016, 19:18
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
It's a slower algorithm, but you should definitely not notice it. How slow are we talking about? Any other plugins which could affect it?
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #25  
Old 06 Jan 2016, 20:13
EvoDarrenshan EvoDarrenshan is offline
 
Join Date: May 2014
Originally Posted by Dave View Post
It's a slower algorithm, but you should definitely not notice it. How slow are we talking about? Any other plugins which could affect it?
I noticed it soon as i done the change like 1-3 seconds difference also when users register it doesn't set the bcrypt algorithm...


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Last edited by EvoDarrenshan; 06 Jan 2016 at 20:33.
Reply With Quote
  #26  
Old 06 Jan 2016, 20:32
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Well my only guess is that you made a mistake somewhere, double check the changes you did and make sure it matches the ones of OP.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #27  
Old 06 Jan 2016, 20:38
EvoDarrenshan EvoDarrenshan is offline
 
Join Date: May 2014
Originally Posted by Dave View Post
Well my only guess is that you made a mistake somewhere, double check the changes you did and make sure it matches the ones of OP.
I've followed it step by step no mistake made, I disabled plugins and generated a result above. Should i revert?

---
I reverted login time gone back to normal. Do not use this if your board is 10k members plus.

Last edited by EvoDarrenshan; 07 Jan 2016 at 00:12.
Reply With Quote
  #28  
Old 07 Jan 2016, 14:52
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Originally Posted by EvoDarrenshan View Post
I've followed it step by step no mistake made, I disabled plugins and generated a result above. Should i revert?

---
I reverted login time gone back to normal. Do not use this if your board is 10k members plus.
I've installed this on boards with 100k+ members, this is not something caused by the script.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 16:42.

Layout Options | Width: Wide Color: