Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
Secure BCrypt Password Hashing Details »
Secure BCrypt Password Hashing
Mod Version: 2.00, by MegaManSec (Member) MegaManSec is offline
Developer Last Online: Dec 2016 I like it Show Printable Version Email this Page

vB Version: 4.x.x Rating: (3 votes - 5.00 average) Installs: 14
Released: 28 Sep 2012 Last Update: Never Downloads: 0
Not Supported Code Changes Re-usable Code Translations  

This is a 'howto' for using bcrypt for your password hashs, instead of the default vBulletin one, which is highly insecure.

Remember, backup your database before doing this!!

bcrypt is a key derivation function for passwords designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

More information about BCrypt can be found here: http://codahale.com/how-to-safely-store-a-password/ - http://phpmaster.com/why-you-should-...red-passwords/

tl;dr: if you want to be moar secure, use bcrypt.


" How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password 'password' in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a nanosecond."


BEFORE YOU DO THIS, PLEASE CREATE A .PHP FILE WITH THIS IN IT

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

If it is not available, please contact your host.




/includes/functions.php
Add this to the end, just before the footer message.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.



includes/class_dm_user.php
Now..

Find this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and replace it with this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

(Note to self.. Why does the original code use this implicit hashing rather than the hash_password function? hash_password takes cares of md5 stuff already if it's not already md5)


Then, on the same file, replace this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

with this

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.




includes/functions_login.php


Find this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

And replace it with this:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


So effectively, we are hashing the password using the normal vBulletin way of
md5(md5($password) . $vbulletin->userinfo['salt'])
however after doing that, we then run hash_password_bcrypt() around it.

By doing it this way, we can now convert our old hashes to the new bcrypt method.

Create a file called "convert.php", with the contents:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I recommend running the script in a terminal, however you may be able to run it in a browser. If you run it in the browser, it may time out!

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Comments
  #2  
Old 29 Sep 2012, 05:10
hakkuo23 hakkuo23 is offline
 
Join Date: Dec 2010
Thank you for the fast reply! I love you man!
Reply With Quote
  #3  
Old 29 Sep 2012, 05:25
hakkuo23 hakkuo23 is offline
 
Join Date: Dec 2010
After I applied the changes I am unable to login, it says my password is incorrect

EDIT

Stupid me, there was an extra parenthesis in functions_login.php

I will respond if it works in a bit!

EDIT

No it does not work vBulletin v4.2.0

Last edited by hakkuo23; 29 Sep 2012 at 06:02.
Reply With Quote
  #4  
Old 29 Sep 2012, 11:20
MentaL's Avatar
MentaL MentaL is offline
 
Join Date: Jan 2003
excellent.
Reply With Quote
  #5  
Old 29 Sep 2012, 13:24
MegaManSec MegaManSec is offline
 
Join Date: Aug 2011
Originally Posted by hakkuo23 View Post
After I applied the changes I am unable to login, it says my password is incorrect

EDIT

Stupid me, there was an extra parenthesis in functions_login.php

I will respond if it works in a bit!

EDIT

No it does not work vBulletin v4.2.0
Yes, all of your passwords would be reset, as the algorythum would change.
__________________
I do free vBulletin modification security checks. PM me.
http://services.internot.info/
Reply With Quote
  #6  
Old 29 Sep 2012, 19:59
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Since your new algorithm basically encrypts the original hash, I think you could actually write a function to go through and convert all the passwords so that existing members could log in without having to change their pw. But of course when it's uninstalled there's nothing else to be done but have everyone change their pw. Either way you might want to add a warning in the description.

Anyway, nice mod, I was thinking about something like this a while back but never got around to it.
Reply With Quote
  #7  
Old 29 Sep 2012, 20:55
MegaManSec MegaManSec is offline
 
Join Date: Aug 2011
Originally Posted by kh99 View Post
Since your new algorithm basically encrypts the original hash, I think you could actually write a function to go through and convert all the passwords so that existing members could log in without having to change their pw. But of course when it's uninstalled there's nothing else to be done but have everyone change their pw. Either way you might want to add a warning in the description.

Anyway, nice mod, I was thinking about something like this a while back but never got around to it.
Filip(DragonByte-Tech) and I were working on somethbing like that, but it didn't work for some strange reason.

And yeah, it can only go 'one way'.

I'll add a disclaimer to the OP
__________________
I do free vBulletin modification security checks. PM me.
http://services.internot.info/
Reply With Quote
  #8  
Old 29 Sep 2012, 21:54
Adrian Schneider's Avatar
Adrian Schneider Adrian Schneider is offline
 
Join Date: Jul 2004
First off, thanks for trying to make vBulletin more secure. BCrypt is an excellent algorithm and much much better than md5. From my latest research, it's the industry standard.

However - you are going to all this work to properly store the password using BCrypt, but then you md5 it. As soon as you md5 it, you have lost all of that security .

Second - and this is just a future suggestion, you could have the system detect which password hash they are using, and check accordingly. This way you can update peoples passwords to the new system whenever they change their password (and probably mass-email everyone suggesting they do). but still authenticate the old hashes properly. Unfortunately the way it's implemented, nobody will want to use this except for starting new boards. It is possible.

Cheers
Reply With Quote
  #9  
Old 29 Sep 2012, 21:56
MegaManSec MegaManSec is offline
 
Join Date: Aug 2011
Originally Posted by Adrian Schneider View Post
First off, thanks for trying to make vBulletin more secure. BCrypt is an excellent algorithm and much much better than md5. From my latest research, it's the industry standard.

However - you are going to all this work to properly store the password using BCrypt, but then you md5 it. As soon as you md5 it, you have lost all of that security .

Second - and this is just a future suggestion, you could have the system detect which password hash they are using, and check accordingly. This way you can update peoples passwords to the new system whenever they change their password (and probably mass-email everyone suggesting they do). but still authenticate the old hashes properly. Unfortunately the way it's implemented, nobody will want to use this except for starting new boards. It is possible.

Cheers
Er, once I MD5 it it does not lose security. if anything, it makes it more secure(by 0.00001 of a percent, though)
I'm currently crteating the 'auto-bcrypt' pwd encrypter for it. it'll be done soon.
__________________
I do free vBulletin modification security checks. PM me.
http://services.internot.info/
Reply With Quote
  #10  
Old 29 Sep 2012, 22:03
Adrian Schneider's Avatar
Adrian Schneider Adrian Schneider is offline
 
Join Date: Jul 2004
No - once you md5 it, you have lost all of the security. You are still succeptable to md5 collissions which is md5's biggset weakness.
Reply With Quote
  #11  
Old 29 Sep 2012, 22:05
MegaManSec MegaManSec is offline
 
Join Date: Aug 2011
Oh. I see what you mean. I thought you were referring to hash cracking.
MD5 collisions aren't such a problem in vBulletin, really.

+ Also, it would take a lot longer to find a hash collision...
__________________
I do free vBulletin modification security checks. PM me.
http://services.internot.info/
Reply With Quote
  #12  
Old 29 Sep 2012, 22:07
Adrian Schneider's Avatar
Adrian Schneider Adrian Schneider is offline
 
Join Date: Jul 2004
It has nothing to do with vBulletin.

If someone hacks into your server and gets your database dump, they can brute force that to find other possible passwords for your users.

The whole point of BCrypt is to make that impossible by A) being ridiculously slow, and B) being a more crytographically unique hash.
Reply With Quote
  #13  
Old 29 Sep 2012, 22:10
MegaManSec MegaManSec is offline
 
Join Date: Aug 2011
Originally Posted by Adrian Schneider View Post
It has nothing to do with vBulletin.

If someone hacks into your server and gets your database dump, they can brute force that to find other possible passwords for your users.

The whole point of BCrypt is to make that impossible by A) being ridiculously slow, and B) being a more crytographically unique hash.
Well, BCrypt is not impossible to brute force, it just takes longer, as you've said.


First of all, if they cracked the MD5, what would they get?
They would get the bcrypt value.
Then what? Then they have to crack that.
That's the pointy.
__________________
I do free vBulletin modification security checks. PM me.
http://services.internot.info/
Reply With Quote
  #14  
Old 29 Sep 2012, 22:40
MegaManSec MegaManSec is offline
 
Join Date: Aug 2011
Originally Posted by Adrian Schneider View Post
It has nothing to do with vBulletin.

If someone hacks into your server and gets your database dump, they can brute force that to find other possible passwords for your users.

The whole point of BCrypt is to make that impossible by A) being ridiculously slow, and B) being a more crytographically unique hash.
Wait, so are you talking about:

Dictionary Attacks, or
Rainbow Tables
or hash collisions?

Hash collisions aren't useful, afaik.. they just let you login to your account(or NOT your account) with more than just one password.
__________________
I do free vBulletin modification security checks. PM me.
http://services.internot.info/

Last edited by MegaManSec; 29 Sep 2012 at 22:52.
Reply With Quote
  #15  
Old 02 Oct 2012, 23:22
Fluke667 Fluke667 is offline
 
Join Date: Feb 2007
NICE

this rocks
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 02:15.

Layout Options | Width: Wide Color: