phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

phpBB3 password hashing for phpbb2?


 
Search this topic... | Search MOD Requests... | Search Box
Register or Login to Post    Index » MOD Requests  Previous TopicPrint TopicNext Topic
Author Message
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Fri Feb 06, 2009 9:02 pm 
Post subject: phpBB3 password hashing for phpbb2?

Has anyone tried back-porting the phpBB3 hashing for passwords into phpBB2? I remember reading MODs about salting the passwords and continuing to use md5, but the phpBB3 mechanism seems to be stronger even than that. If nobody else has done it, I plan on starting on a MOD this weekend.
_________________
phpBBDoctor Blog
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Fri Feb 06, 2009 9:05 pm 
Post subject: Re: phpBB3 password hashing for phpbb2?

No, but I changed the way passwords are stored for my site a few months ago.

The PHPass code does intrigue me, though I haven't looked in-depth to how it works, just skimmed over it some times.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield ILMac 512K BlogMac GUI
Back to top
Ram
Board Member



Joined: 23 Dec 2008

Posts: 100
Location: Somewhere over the rainbow


flag
PostPosted: Fri Feb 06, 2009 9:06 pm 
Post subject: Re: phpBB3 password hashing for phpbb2?

Yup there is an existing MOD (Salt Password) that hash (in md5) the password again. It is based on the date of members' inscription.
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Fri Feb 06, 2009 9:07 pm 
Post subject: Re: phpBB3 password hashing for phpbb2?

Ram wrote:
It is based on the date of members' inscription.

Which is useless, IMO, because that date can be retrieved all too easily.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield ILMac 512K BlogMac GUI
Back to top
Ram
Board Member



Joined: 23 Dec 2008

Posts: 100
Location: Somewhere over the rainbow


flag
PostPosted: Fri Feb 06, 2009 9:09 pm 
Post subject: Re: phpBB3 password hashing for phpbb2?

I have never use this MOD that seem useless to me, if you put hard and long password you have no pb.
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Fri Feb 06, 2009 9:15 pm 
Post subject: Re: phpBB3 password hashing for phpbb2?

The reason for bringing up the topic now is fairly obvious. With the exposure of the phpbb.com database, a number of hashed passwords have already been exposed and the hashes are available for anyone to attempt to match. I am less worried than some, as I use a different password on every different site. Yet I would still prefer to have a more secure system for hashing the password in the database.

The md5 algorithm cannot be reversed, that's technically not possible. But people have run dictionary words through the hashing process and built lookup tables that show which hashes match which standard words. Obviously this is a large effort icon_smile.gif and doesn't cover all possible hashes. The concept of a rainbow table addresses more obscure words. According to the link, even a simple salt is effective at defeating rainbow tables.
Quote:
The salt value is not secret and may be generated at random and stored with the password hash. A large salt value prevents precomputation attacks, including rainbow tables, by ensuring that each user's password is hashed uniquely. This means that two users with the same password will have different password hashes (assuming different salts are used). In order to succeed, an attacker needs to precompute tables for each possible salt value. Even for older Unix passwords, which used a 12-bit salt, this would be improbable. The MD5-crypt and bcrypt methods—used in Linux, BSD Unixes, and Solaris—have salts of 48 and 128 bits, respectively.[2] These larger salt values make precomputation attacks for almost any length of password impossible against these systems for the foreseeable future.

So it seems that even if the salt is known, it doesn't help as a new series of table values would have to be generated for each potential salt.
Quote:
Also, rainbow tables and other precomputation attacks do not work against passwords that contain symbols outside the range presupposed, or that are longer than those precomputed by the attacker. Because of the sizable investment in computing processing, Rainbow tables beyond fourteen places in length are not yet common. So, choosing a password that is longer than fourteen characters or that contains non-alphanumeric symbols may force an attacker to resort to brute-force methods.

_________________
phpBBDoctor Blog
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Sat Feb 07, 2009 1:29 pm 
Post subject: Re: phpBB3 password hashing for phpbb2?

I just want to point out one thing. If you put hard to break password hashing system, probably, even you won't be able to break them, if you'll ever want. icon_wink.gif
_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Sat Feb 07, 2009 3:09 pm 
Post subject: Re: phpBB3 password hashing for phpbb2?

I can think of no legitimate reason for an Admin wanting to be able to break a hashed password.
With database access there really is no need to do as a new one can be inserted either via phpmyadmin, Starfoxtj Toolkit or via the Admin Control panel.

If you manage to reverse engineer the phpBB3 one Dave and produce a mod that we can use then I would be very interested as well. Anything that makes my board more secure must be a plus.

Jim
Back to top
Salvatos
Board Member



Joined: 19 Feb 2009

Posts: 416
Location: Québec


flag
PostPosted: Thu Feb 19, 2009 8:36 am 
Post subject: Re: phpBB3 password hashing for phpbb2?

Very much looking forward to a password safety MOD as well, that's pretty much the only little thing that would make me "regret" not going to phpBB3.
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Thu Feb 19, 2009 9:03 pm 
Post subject: Re: phpBB3 password hashing for phpbb2?

I took a quick look to see if it was going to be simple... but that's as far as I have gone so far. I am in the process of moving sites to a new server and helping a friend recover from a hacked website (not via phpBB2 as far as we can tell, although the board was the target, I don't think it was the entry point) and general life. Many things related to phpBB have been pushed to the side for now.
_________________
phpBBDoctor Blog
Back to top
Salvatos
Board Member



Joined: 19 Feb 2009

Posts: 416
Location: Québec


flag
PostPosted: Fri Feb 20, 2009 3:12 am 
Post subject: Re: phpBB3 password hashing for phpbb2?

No problem, I'm not in a hurry as far as I'm concerned icon_wink.gif
Back to top
ABDev
Board Member



Joined: 01 Jun 2009

Posts: 37


flag
PostPosted: Tue Jun 23, 2009 10:40 pm 
Post subject: Re: phpBB3 password hashing for phpbb2?

Here is a way (french contents) : http://forums.phpbb-fr.com/support-utilisation-phpbb3/sujet162061.html
Back to top
Display posts from previous:   
Register or Login to Post    Index » MOD Requests  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0213 seconds using 15 queries. (SQL 0.0027 Parse 0.0007 Other 0.0179)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo