Announcement

Collapse
No announcement yet.

Encryption method of password

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Encryption method of password

    What encryption method is used by vBulletin to encypt passwords saved to the databse?

  • #2
    Originally posted by artcoder View Post
    What encryption method is used by vBulletin to encypt passwords saved to the databse?
    Salted and MD5 hashed; it is next to impossible to retrieve and view a password even if the database is compromised.
    anders | vbulletin team | check out the new vbulletin facebook app
    Proudly vBulletin'ing since 2001
    Please be my friend!
    http://www.twitter.com/inetskunkworks
    vBulletin Performance Articles:
    Click here to read

    Comment


    • #3
      Originally posted by IBxAnders View Post
      Salted and MD5 hashed; it is next to impossible to retrieve and view a password even if the database is compromised.
      not impossible.... anything is possible.

      But yes, it uses Salted + MD5 Hash.

      Comment


      • #4
        Originally posted by FreshFroot_ View Post
        not impossible.... anything is possible.

        But yes, it uses Salted + MD5 Hash.
        Sorry to split hairs here, but it is impossible to reverse the has, it is not however impossible to guess password and salt combinations, but to go through all the possible combinations just for one hash, could potentially take years. If you find out what the salt for that user is, eg via compromised DB you're half way there, but you'll still have a long time to match including the salt.
        http://data.collectiveirc.net/status/user/Jobe.png

        Comment


        • #5
          Originally posted by FreshFroot_ View Post
          not impossible.... anything is possible.
          This is impossible - you can't calculate the exact password out of a hash, as several passwords will produce the same hash - and there is really no way to tell which password was actually used.

          (Which, of course, doesn't mean you won't be able to find such a colission, eg. a string that produces the hash you are after).

          Comment


          • #6
            Doesn't vBulletin use a triple hash?
            I'm sure I read somewhere they md5 it more than once? Something along the lines of:
            PHP Code:
            md5(md5(md5($password $salt))) 
            I could be wrong - I think I read it somewhere though.

            Comment


            • #7
              Originally posted by James Birkett View Post
              Doesn't vBulletin use a triple hash?
              I'm sure I read somewhere they md5 it more than once? Something along the lines of:
              PHP Code:
              md5(md5(md5($password $salt))) 
              I could be wrong - I think I read it somewhere though.
              It is stored in the database as md5(md5($password) + $salt).

              The cookies that contains the password stored on the user's PC is:

              md5(md5(md5($password) + $salt) + COOKIE_SALT)

              COOKIE_SALT is the license ID of the software.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment


              • #8
                Thanks wayne! That helped me understand
                So the database:
                Md5's password first.
                Then it md5's the password (again) and the salt.

                For the cookie:
                md5's password first.
                md5's the password (again) and the salt.
                md5's the hash of above step + license ID?

                Comment


                • #9
                  Yes.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment


                  • #10
                    password

                    If you actually want to view your users passwords, simply edit out all the encryptions.

                    but then you would have to have a really strong security system on your server so that it doesn't get compromised.

                    I have my server and database on the same LAN, with the server on a static ip and the database not internet accessible, and connect the server to the database. and then the database has like $500/year worth of encryption software and security software. (its worth it to learn your users passwords :P)

                    Comment


                    • #11
                      Originally posted by Jobe1986 View Post
                      Sorry to split hairs here, but it is impossible to reverse the has, it is not however impossible to guess password and salt combinations, but to go through all the possible combinations just for one hash, could potentially take years. If you find out what the salt for that user is, eg via compromised DB you're half way there, but you'll still have a long time to match including the salt.
                      You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible. I know our Comp classes we looked over this issue and worked out methods.

                      So it is NOT impossible. However, unless someone has LOTS of time or is bored. I don't see any use of it. Your better at guessing someone's password than going through with this method.

                      Comment


                      • #12
                        Originally posted by FreshFroot_ View Post
                        You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible. I know our Comp classes we looked over this issue and worked out methods.

                        So it is NOT impossible. However, unless someone has LOTS of time or is bored. I don't see any use of it. Your better at guessing someone's password than going through with this method.
                        The key point to your argument is "encryption". MD5, SHA1 etc... are NOT encryption, they are hash algorithms. Designed to be irreversable. The ONLY way to find out what produces a hash the same is to repeatedly hash strings of data until you get the same result. You cannot otherwise undo the mathematical operation and get the exact string used. Now if you're trying to find what values make a simple hash then that wont take so long, but with vBulletin hashes you need to find out the salt too, which makes the job of finding a pattern that matches a hell of a lot harder, because with the salt, you have to find a salt, that when applied to the same password as the salt in the DB, will produce the SAME hash.
                        http://data.collectiveirc.net/status/user/Jobe.png

                        Comment


                        • #13
                          Originally posted by FreshFroot_ View Post
                          You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible.
                          I am sorry, but this is just wrong.

                          Hashing != Encrypting

                          You can't "decrypt" a hash, never.
                          You can, of course, find colissions (eg. strings that produce the hash you are after), but you'll never know if the string you found was actually the password.

                          Comment


                          • #14
                            Originally posted by Andreas View Post
                            I am sorry, but this is just wrong.

                            Hashing != Encrypting

                            You can't "decrypt" a hash, never.
                            You can, of course, find colissions (eg. strings that produce the hash you are after), but you'll never know if the string you found was actually the password .
                            Andreas is right folks ...you won't know if a string you found was actually the password you where after...

                            Comment


                            • #15
                              I'm building a comment system for our newspages and I want to use the same username/password combination as our forum uses. Everything is set to go, the only thing I need to do is encrypt the password so it will be the same as the encrypted password in the database. Does anybody know how to do that?

                              Thanks,
                              Barry
                              Wakeboarden.org

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X