What cryptographic hash function is VBulletin using for user passwords protection?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Hall of Famer
    Senior Member
    • Apr 2009
    • 356
    • 3.8.x

    [Forum] What cryptographic hash function is VBulletin using for user passwords protection?

    Just curious, I wonder what hash function is VB using for VB3 and VB4. MD5, SHA-1, SHA-2 or none of these above?
  • punchbowl
    Senior Member
    • Nov 2006
    • 3903
    • 4.0.x

    #2
    PHP Code:
    $sql "SELECT username FROM vb_user 
                           WHERE username = '
    {$_POST['fusername']}
                           AND password = md5( concat( md5('
    {$_POST['fpassword']}'), salt));"
    looks like md5 to me

    Comment

    • Hall of Famer
      Senior Member
      • Apr 2009
      • 356
      • 3.8.x

      #3
      umm md5, are you sure about that? I heard that md5 is highly obsolete and sites running with md5 hash function are exposed to the greatest danger of hacking. Would a VB staff please explain this to me? Thanks.

      Comment

      • Zachery
        Former vBulletin Support
        • Jul 2002
        • 59097

        #4
        Originally posted by Hall of Famer
        umm md5, are you sure about that? I heard that md5 is highly obsolete and sites running with md5 hash function are exposed to the greatest danger of hacking. Would a VB staff please explain this to me? Thanks.
        We use a double md5 hash with a salt. Without the salt its moderately hard to get a value that works for the password.

        something like md5(md5(password)salt)


        All hashing methods are weak with access to the hash table, protecting your database is the most important thing you can do.

        Pixel2life is the largest tutorial search engine on the internet catering to graphic designers and programmers. From Photoshop to Poser to C++, we have it all in the fastest and friendliest search tool around.

        Comment

        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
        Working...