Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2020-01-10 23:18:52

oli_v_ier
Member
Registered: 2008-09-21
Posts: 47

password_hash

Hi,

https://eprint.iacr.org/2020/014.pdf

Please no more SHA1 in fluxBB ! The right solution is to use password_hash (native function in PHP since 5.5). How ?

Offline

#2 2020-01-11 03:01:48

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,392
Website

Offline

#3 2020-01-11 10:38:55

oli_v_ier
Member
Registered: 2008-09-21
Posts: 47

Re: password_hash

Cool.
Is there a way to extract the function and integrate it with FluxBB 1.5.11 without updating the rest? Has anyone done it?
Or is Master functional and can I upgrade my FluxBB 1.5.11 to Master?

Given the recent discoveries on SHA1, passwords are almost no longer secure on FluxBB.

Offline

#4 2020-01-16 15:25:45

artoodetoo
Member
From: Far-Far-Away
Registered: 2008-05-11
Posts: 227

Re: password_hash

oli_v_ier wrote:

Given the recent discoveries on SHA1, passwords are almost no longer secure on FluxBB.

With one note: if your database got into attackers. This is not a very likely event, right? smile
Assuming that an attacker has direct access to your database or files, he does not need to decrypt passwords at all.


I'm not a fan of FluxBB way anymore.

Offline

#5 2020-01-16 16:04:59

oli_v_ier
Member
Registered: 2008-09-21
Posts: 47

Re: password_hash

artoodetoo wrote:

With one note: if your database got into attackers. This is not a very likely event, right? smile

It's true, but if the risk is so low, why encrypt passwords?
https://en.wikipedia.org/wiki/File:IC-R … mplate.jpg

I believe that when we take responsibility for storing passwords, it is our duty to use the best available means so that they are well protected. Efficient encryption is available, let's use it.
In the event of hacking of the data base the hacker will be able to associate email address and password which can lead to identity theft.

Offline

#6 2020-01-16 21:30:51

artoodetoo
Member
From: Far-Far-Away
Registered: 2008-05-11
Posts: 227

Re: password_hash

Agreed


I'm not a fan of FluxBB way anymore.

Offline

#7 2020-09-28 09:57:52

JamesDean
Member
Registered: 2020-09-28
Posts: 19

Re: password_hash

There is no such thing as "security" on the internet. If its published, it can be exploited. The only resources needed to break into anything is CPU & Time .... Password hashing is simply a means of making it time consuming to run a collision check on passwords. It does not really matter what Hashing method you use, or how complex you make it, all you can achieve is causing "more time" being needed to run a collision.

In terms of adding "more time" needed to brute force passwords, the only efficient method you can use is salting the password.

if(md5(crypt($_POST['user_password'], $arr['user_regdate'])) === $arr['user_password']){ //login here }

If you wanted to make it more complex, you can simply change the salt to be randomized, like salting based on different patterns from the user ID ( odd numbers use ID as salt, and even numbers use reg-date ). But all this does is force the brute-forcer to run additional collision checks on each different pattern you choose.

IF someone gets their hands on your hashed password, there is NOTHING to stop them from finding the collision path for it! Every native Hashing method in PHP takes AT MOST 5 to 7 days to run a successful collision check using the CPU from the average laptop computer.

In terms of changing a password hash on a user account without causing a re-creation of a new password is something we call Hash Stacking .... which is nothing more than hashing the existing hash

md5(md5(crypt($_POST['user_password'], $arr['user_regdate'])))

note md5( twice ... and there is no limit, you can stack 100 times if you really want to!

This same method of stacking can be done through all of the PHP hashing methods .... which the end user still types in the same password as they originally had, but the hash is changed in your Database. However, if you are re-hashing simply due to a data breach, then nothing will save the end user other than informing them to change their password.

Security should take place BEFORE someone gets to the data, not AFTER ... Anything AFTER is simply too late!

Offline

Board footer

Powered by FluxBB