Password Authentication plus SEO concerns

[rob30UK]

Hi All,

Thinking of switching from phpBB to vBulletin.

Our phpBB system does dot use the standard hashing functions of other phpBB systems and instead uses sha256 (long story). What would it take to convert VBulletin to use the same authentication hash? Is it a case of change it in one place, or several?

We have the categories hierarchy mod installed in PHPbb... will your impex convertor handle the transition and keep the hierarchy?

Also, some pointers to SEO documents concerning vBulletin (especially url re-writing) would be very helpful in us makin the decision.

I look forward to your heklp and feedback.

Regards,

Rob

[Steve Machol]

I'm not sure I understand the hashing question. Is this a modification you made to phpBB?

vB3 is inherently search-engine friendly and includes an 'archive' function that makes it even more so. It was specifically optimized with this in mind.

[rob30UK]

I'm not sure I understand the hashing question. Is this a modification you made to phpBB?

vB3 is inherently search-engine friendly and includes an 'archive' function that makes it even more so. It was specifically optimized with this in mind.

As a specialist in SEO Steve, I would have to partially agree.

The archive feature is ONLY useful when linking directly to forums and posts (otherwise duplicate content occurs which is bad for google). I should also point out that this should in fact ALSO produce a google sitemap for submission or ideally it should auto submit to google.

The forums and threads themselves are far from optimised for search engines, but I didnt come here to debate that... SEO is a science and it's work is never done. It's doesnt matter how much SEO you do on a site or product, there is always more that can be done.

The SEO of the forum is the least of my worries as I've since learned about many SEO mods that exist to prevent me 're-invening the wheel' so to speak.

What is of far more pressing concern to me is whether the vBulletin API will allow access to the user login authentication process AND allow the user password hashing algorythm to be changed to SHA256 (I should run this by your technical people who'll know what I mean)

The thing is, my current board uses this (SHA256) hashing algorythm for passwords and I'm not about to ask over 2000+ members to use the lost password feature when I convert to vBulletin.

I don't want to have to change php files and nullify my support.

I need a way to change vBulletin's authentication hash functions over to SHA256... this should be available anyway for the support of conversion of other boards (like snitz.... which we used to have)

[rob30UK]

By the way, I have a SHA256 hash function that does not require any other libraries (Like PEAR for instance) if you or anyone else needs it.

[ManagerJosh]

Hi Rob:

Welcome . While some points I do agree, a few I do disagree.

SEO is not exactly a true science. It's more of a game of catch up with the search-engine companies trying to figure out how to get your site recognized and exposed to its fullest. Science is observation, hypothesizing, testing, repeating. If it was a true science, SEO specialicist would be winning Nobel Prizes by now

Anyhow, I'll save my SEO debate for another thread....


Regarding the passwords, vBulletin 3.0.x onwards uses a different method of authentication rather than the traditional MD5 hashing.

PHP Code:

md5(md5('password') . $salt) 


It is quite possible to engineer vBulletin to use a SHA256, but it's going to take a lot of time, editing PHP files and codehacking.

[Marco van Herwaarden]

I will not touch the SEO subject, since that is not a field i know a lot about, but there are some modifications available at vbulletin.org that could help you with this.

About implementing the SHA256 into vBulletin, that will not help you with your problem. Like Josh already pointed out, vBulletin uses a different hashing algoritm then phpBB. Changing from MD5 to a SHA256 based hash, will not change the fact that the passwords would need to be reset. I wouldn't spend much energy on this if i where you, and just accept the fact that the passwords must be reset (unless the plain passwords would be available somehow to the Import scripts).

[ManagerJosh]

Marco, he's already using a SHA256 based hash on his phpBB installation.

[Marco van Herwaarden]

Marco, he's already using a SHA256 based hash on his phpBB installation.

I know, that is what he wrote, hence my answer that changing vB to use SHA256 based hash, will not make his phpBB passwords be transferrable to vBulletin.

[ManagerJosh]

Ah yes, that's right. Forgot about salting... Sorry... I blame myself for being up at 3AM

[rob30UK]

Guys.... c'mon...

Salting is nessesary for MD5 as it's been cracked.

My PHPbb uses no salt. What would it take to remove salting?

I sure as hell dont want to upset a few thousand members forcing them to use forgot password features.

PHPbb uses MD5 and when I moved to PHPbb from snitz, I had this issue... and overcome it.

By the way.... we have now purcased this and am waiting for your replies.

I KNOW there is a way round this.

[ManagerJosh]

To the best of my knowledge, MD5 hasn't been cracked. There are people who claim they've cracked MD5, but in the end, it's boiled down to the same thing: sheer brute force.

The only way around this to my knowledge is if you codehack vBulletin itself to use SHA256 rather than Dual MD5, with a salt.

[rob30UK]

The only way around this to my knowledge is if you codehack vBulletin itself to use SHA256 rather than Dual MD5, with a salt.

Ok.... so where next?

Pleae give me indicators where to start?

Besides class_dm_user.php, are there any other files that would need modifying?

[ManagerJosh]

You're treading into support/codehacking regions. You are going to have much better luck over at www.vbulletin.org as that's the place to ask when you're codehacking.

I recommend asking over in this forum -> http://www.vbulletin.org/forum/forumdisplay.php?f=111

Please make sure this is filled out as well so you show up as licensed

[rob30UK]

Will I break terms and conditions and nullify support by changing php files?

I strongly suggest that in a future version you expose the hashing algorythm to the API / Hooks system.

It will far improve your products ability in the area of importing if you can support old passwords by having a number of alternative hash plugins.

Dont get me wrong, the ability of Impex to do what it does is amazing and second to none... but what I am asking will make it much much better and be far friendlier to imported users.

Just a suggestion.

[ManagerJosh]

The official word is that if you alter the PHP files from their original setting (other than config.php), you void support. However there's been instances where I've had codehacks and asked for support and it's been there for me

Also, I'm not sure if this affects you any, but vBulletin does have some MD5 hashing occuring on the clientside. Just thought I'd let you know..