Announcement

Collapse
No announcement yet.

vBulletin Password Handling

Collapse
X
Collapse
  •  

  • vBulletin Password Handling

    Note: vBulletin Cloud sites cannot use custom password schemes at this time.

    The core security of your site is the User Password and how it is stored. In the beginning, vBulletin used a simple MD5 hash to represent the password. However as Floating Point Processors (i.e. GPU and ASICs) have become more powerful, this method proved to be risky and reduced security. If we significantly changed the password scheme, then users wouldn't be able to login and would need to change their passwords first. We needed a solution that was more convenient. At this point, a 3 character randomly generated salt was added to the password and it was hashed a second time. Again, technology caught up to this technique. So the salt was increased to 30 characters. Once again, technology caught up with the technique. We needed a better way to hash passwords but allow users to log in seamlessly.

    When PHP 5.5 was released, a new set of password hashing functions were released to help with these issues. So they were implemented into vBulletin. A new password system was developed in vBulletin 5 that uses Password Schemes. You can have multiple schemes active at a time and the system will determine which one is needed to verify the login password. Currently vBulletin 5.4.X ships with two password schemes. Both have their pros and cons. The new password functionality provides two things for vBulletin. The first is that is can generate a new salt every time a user password is created. These salts use cryptographic random numbers so they are more complex than the method used previously. The second is that comparing passwords can now take additional time. One of the common techniques to break hashed passwords is the amount of time it takes to create a comparable hash. Using the bcrypt/blowfish algorithm, we can slow the password hashing down so it takes roughly half a second to complete. This helps to negate additional power added with hardware.

    Password Schemes

    Blowfish / bcrypt

    Currently, this is the default password scheme used by vBulletin. It has the highest priority at the moment and is considered to be cryptographically secure.

    Legacy

    This system allows your users to continue to log in with the password hashes generated in vBulletin 3 and vBulletin 4. This is its only purpose today. We do not recommend that you use it for new users.

    Password Compatibility

    vBulletin Passwords are stored in a manner that tells the software which scheme was used without actually knowing the password. This allows the system to decrypt any password as long as there is a valid scheme for it. Once the password is verified, it will be saved with the scheme that has the highest priority in your Password Schemes file.

    Adding New Schemes

    The password system in vBulletin 5 Connect is extendible so you can add your own password schemes. This is controled by the /core/includes/xml/pwsschemes_vbulletin.xml file and corresponding code found in /core/vb/utility/password/algorithm. Each new scheme added to the system needs an entry in a password schemes XML file and a corresponding class within the algorithm folder.

    Default pwsschemes_vbulletin.xml

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <schemes>
    <scheme name='blowfish:10' priority='10' />
    <scheme name='legacy' priority='1' />
    </schemes>
    

    New Scheme Example

    You can add a new Blowfish/bcrypt scheme with a higher cost so that passwords take longer to hash and verify. This will make the passwords a bit more secure with newer hardware. Since we already have the code needed for the Blowfish scheme to work, we do not need to add any additional code to the system.

    This is a two step process.

    Edit the Password Scheme File

    To add our new simple scheme we need to create our own custom Password Scheme file. Let's add a new level of Blowfish hashing with a higher cost. In the /core/inclues/xml directory add a new file called pwsschemes_custom.xml. Add the following code to this file:

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <schemes>
    <scheme name='blowfish:15' priority='20' />
    </schemes>
    

    Our new scheme uses the existing password hashing functions but we have increased the cost and the priority. To add this new scheme, we simply have to upload our file to /core/includes/xml. The custom name will ensure it doesn't get overwritten when vBulletin is upgraded to the next version. If we were adding a new type of Password hashing, we would have to provide the corresponding PHP classes to handle this. You can see how this is done by reviewing the classes in the /core/vb/utility/password directory.

    Rebuild Password Schemes

    Once the new file is uploaded to the server, you will need to rebuild the password schemes stored in the database. To do this, we will upload the /core/install directory to the server along tools.php. You can find tools.php in the do_not_upload directory in your download package. Place this file in /core/installs for the current task.

    Once these files are uploaded, point your browser to /core/install/tools.php. If you're asked for your Customer ID, enter it. Once the file has loaded in your browser choose the Rebuild Password Schemes option from the menu. When you're done, delete the /core/install directory from your site.

    Now you should be able to login normally and your password will be stored in the new scheme.

    Note: When changing vBulletin files, make sure not to overwrite or delete this file. Doing so will prevent logins to the site.

    Last edited by Wayne Luke; Wed 16 Jan '19, 1:17pm.
      Posting comments is disabled.

    About the Author

    Collapse

    Wayne Luke A curious juxtaposition of nature, technology and sustainability. Find out more about Wayne Luke

    Article Tags

    Collapse

    administration (1) beginner (3) channels (1) Custom (1) database (1) Google (1) howto (1) https (1) Intermediate (2) MYSQL (1) options (1) passwords (1) security (2) seo (1) sftp (1) ssl (1) ssl certificate (1) style (1) styles (1) template (1) tls (1) tutorial (2) users (1) vb5howto (5) vbcloud (1)

    Latest Articles

    Collapse

    • Including Custom PHP in Modules.
      by Wayne Luke
      We've created a new package that is intended to facilitate the replacement of custom PHP modules with custom Display Template modules. It also demonstrates how to create custom API functions in general. You will find this package attached below. Steps to replace a PHP module Module Edit the api/main.php file Find the customWidgetHtml function Copy your php code from the module into the function. Change the code to generate a string value instead of echoing content and set that to the $myhtml par...
      Mon 10 Aug '20, 3:05pm
    • vBulletin Password Handling
      by Wayne Luke
      Note: vBulletin Cloud sites cannot use custom password schemes at this time. The core security of your site is the User Password and how it is stored. In the beginning, vBulletin used a simple MD5 hash to represent the password. However as Floating Point Processors (i.e. GPU and ASICs) have become more powerful, this method proved to be risky and reduced security. If we significantly changed the password scheme, then users wouldn't be able to login and would need to change their passwords fir...
      Sat 27 Oct '18, 1:34pm
    • Creating the Sitemap XML for your vBulletin
      by Wayne Luke
      The XML Sitemap specification allows search engines to index your site more efficiently. vBulletin 5 Connect can create the Sitemap automatically so you can submit it to your favorite search engines. Using the default path If you are using vBulletin Cloud, you must use this option. The default value for this is core/store_sitemap. Make sure the directory is CHMOD 0777 on your server. In the AdminCP, go to Settings -> Options -> XML Sitemap and set Enable Automatic Sitemap Generation to Yes. ...
      Sat 27 Oct '18, 1:18pm
    Working...
    X