Hi..

VBulletin looks cool. I am thinking about getting it. I have a few questions.

1. Is there a summary somewhere of VBulletin's security features and security history? For example, are passwords encrypted using password salts? After looking into the security features of another bulletin board system I was not impressed at all. The security was insufficient for integration into a serious site (see item 2 below).

2. Where can I find information about integrating VBulletin with other features of a site? For example, I am interested in using VBulletin to register, and then using the user name and password from within a separate program to manage access to that program. I most certainly would like to avoid having users have to register two or more times, once for the (VBulletin) forums and once for the program.

3. When will VBulletin Version 3 be released? I am sure this is a FAQ but after about 15 minutes of looking at various VBulletin boards here I could not figure out where to find regular updates about this.


Andrew

1. No. Yes.
2. VBulletin.org
3. This year.

What is the best way to get a good idea of the security features of VBulletin, security history, and the attitude of the VBulletin developers toward security?

Take a look at the Announcements forum for each new version announcement. The Devs take security very seriously.

OK, thanks.

I looked in the mySQL database records, and for the user I looked at, the vBulletin password is stored as a straight MD5 digest of the user password. No password salt is used. Will this be addressed in vB3?

It has been addressed in vBulletin 3.0

It has been addressed in vBulletin 3.0

That is great! Can you explain a bit how it's addressed? I am doing some site integration and would like to prepare for however things change in vB3. I might use the vB database to authenticate users in my own application so that the user name/password can be shared between vB and my app.

The stored has is an md5 of the md5 password and a randomly generated (upon registration) string unique to the user.

so:
$hash = md5(md5($password).$uniqueUserSalt);

No password salt is used.

what does that mean???

Our passwords were bland and needed a bit of spice.

Or in other words... :p it means that if you use the same password on two forums, the hash of them will be different on each site. This makes for better security because even if someone got a hold of the hash of your password on one forum, it won't be usable on another forum.

oh i see (mind you i think i understood freddies more :))

so how does it know you have a password thats the same on another board then??

The stored has is an md5 of the md5 password and a randomly generated (upon registration) string unique to the user.

so:
$hash = md5(md5($password).$uniqueUserSalt);

Good deal, I appreciate the info; it's a big help.

There appears to be an extra step in there, BTW. The following will eliminate one of the md5 computations, which would speed things up:

$hash = md5($uniqueUserSalt.$password);

Just be sure that uniqueUserSalt always has the same number of characters.

Also, Schneier says he's wary of using MD5 in his book "Applied Cryptography". It might be better to use SHA1.


Andrew

THe reason sha1 is used along with having the old password hashed first is to make vbulletin 3 an easy upgrade for vbulletin 2 owners.

THe reason sha1 is used along with having the old password hashed first is to make vbulletin 3 an easy upgrade for vbulletin 2 owners.

I see what you mean about upgrading.

I'm not sure what you mean about sha1 -- there may be a typo somewhere.

Also, Schneier says he's wary of using MD5 in his book "Applied Cryptography". It might be better to use SHA1.
Andrew

You are correct. However, MD5 has become the de facto standard in encrypting passwords in various bulletin board packages. Converting to SHA1 would cause a lot of pain and headache as every single password would need to be changes in a secure way. This doesn't just effect our thousands of customers but millions of end-users as well. Such a change is not to be taken lightly. Since you cannot unhash either MD5 or SHA1, there is a lot of consideration to be made taking such a step.

A change like this will also impact future business and importing from other systems. However, if you are building a new system and would like to change it from MD5 to SHA1, you can do so with a few minor modifications of the system.

You are correct. However, MD5 has become the de facto standard in encrypting passwords in various bulletin board packages. Converting to SHA1 would cause a lot of pain and headache as every single password would need to be changes in a secure way. This doesn't just effect our thousands of customers but millions of end-users as well. Such a change is not to be taken lightly. Since you cannot unhash either MD5 or SHA1, there is a lot of consideration to be made taking such a step.

A change like this will also impact future business and importing from other systems. However, if you are building a new system and would like to change it from MD5 to SHA1, you can do so with a few minor modifications of the system.

I'm glad you agree that this isn't something to be taken lightly!

Tthe password scheme is already changing in vB3.0 from the previous vB version; it's switching from

$hash = md5($password);

to

$hash = md5(md5($password), $salt);

This change isn't much different than changing from

$hash = md5($password);

to

$hash = sha1(md5($password),$salt);

The only difference I can see is that if people are already using the vBulletin database in separate non-vB programs to access the password field, and have access to md5 functions now and don't have access to sha1 functions, they might have some work to do. These people are going to have to do some work anyway because of the change in the way that the hash is computed in vB3.0. If vB3.0 has a "use old-style password hashes" option, and someone uses it, then they'll just continue to use md5($password) and nothing will change for them.

So using sha1 instead of md5 as the outer hash doesn't seem to cause pain. Are there other considerations?

Andrew

I see what you mean about upgrading.

I'm not sure what you mean about sha1 -- there may be a typo somewhere.
Sorry about that. I meant md5. (just had my mind in some other polace)

Sorry about that. I meant md5. (just had my mind in some other polace)

No prob..