Encryption method of password

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • artcoder
    New Member
    • Nov 2008
    • 2

    Encryption method of password

    What encryption method is used by vBulletin to encypt passwords saved to the databse?
  • IBxAnders
    Senior Member
    • Aug 2001
    • 1172
    • 4.0.x

    #2
    Originally posted by artcoder
    What encryption method is used by vBulletin to encypt passwords saved to the databse?
    Salted and MD5 hashed; it is next to impossible to retrieve and view a password even if the database is compromised.
    anders | vbulletin team | check out the new vbulletin facebook app
    Proudly vBulletin'ing since 2001
    Please be my friend!
    http://www.twitter.com/inetskunkworks
    vBulletin Performance Articles:
    Click here to read

    Comment

    • FreshFroot_
      Senior Member
      • Jul 2005
      • 1420
      • 3.8.x

      #3
      Originally posted by IBxAnders
      Salted and MD5 hashed; it is next to impossible to retrieve and view a password even if the database is compromised.
      not impossible.... anything is possible.

      But yes, it uses Salted + MD5 Hash.

      Comment

      • Jobe1986
        Senior Member
        • Jan 2007
        • 629
        • 4.2.x

        #4
        Originally posted by FreshFroot_
        not impossible.... anything is possible.

        But yes, it uses Salted + MD5 Hash.
        Sorry to split hairs here, but it is impossible to reverse the has, it is not however impossible to guess password and salt combinations, but to go through all the possible combinations just for one hash, could potentially take years. If you find out what the salt for that user is, eg via compromised DB you're half way there, but you'll still have a long time to match including the salt.
        http://data.collectiveirc.net/status/user/Jobe.png

        Comment

        • Andreas
          Senior Member
          • Feb 2004
          • 2323

          #5
          Originally posted by FreshFroot_
          not impossible.... anything is possible.
          This is impossible - you can't calculate the exact password out of a hash, as several passwords will produce the same hash - and there is really no way to tell which password was actually used.

          (Which, of course, doesn't mean you won't be able to find such a colission, eg. a string that produces the hash you are after).

          Comment

          • James Birkett
            Senior Member
            • Jun 2009
            • 331
            • 3.8.x

            #6
            Doesn't vBulletin use a triple hash?
            I'm sure I read somewhere they md5 it more than once? Something along the lines of:
            PHP Code:
            md5(md5(md5($password $salt))) 
            I could be wrong - I think I read it somewhere though.

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73976

              #7
              Originally posted by James Birkett
              Doesn't vBulletin use a triple hash?
              I'm sure I read somewhere they md5 it more than once? Something along the lines of:
              PHP Code:
              md5(md5(md5($password $salt))) 
              I could be wrong - I think I read it somewhere though.
              It is stored in the database as md5(md5($password) + $salt).

              The cookies that contains the password stored on the user's PC is:

              md5(md5(md5($password) + $salt) + COOKIE_SALT)

              COOKIE_SALT is the license ID of the software.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              • James Birkett
                Senior Member
                • Jun 2009
                • 331
                • 3.8.x

                #8
                Thanks wayne! That helped me understand
                So the database:
                Md5's password first.
                Then it md5's the password (again) and the salt.

                For the cookie:
                md5's password first.
                md5's the password (again) and the salt.
                md5's the hash of above step + license ID?

                Comment

                • Wayne Luke
                  vBulletin Technical Support Lead
                  • Aug 2000
                  • 73976

                  #9
                  Yes.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment

                  • maplr4ever
                    Member
                    • Jun 2009
                    • 65
                    • 3.8.x

                    #10
                    password

                    If you actually want to view your users passwords, simply edit out all the encryptions.

                    but then you would have to have a really strong security system on your server so that it doesn't get compromised.

                    I have my server and database on the same LAN, with the server on a static ip and the database not internet accessible, and connect the server to the database. and then the database has like $500/year worth of encryption software and security software. (its worth it to learn your users passwords :P)

                    Comment

                    • FreshFroot_
                      Senior Member
                      • Jul 2005
                      • 1420
                      • 3.8.x

                      #11
                      Originally posted by Jobe1986
                      Sorry to split hairs here, but it is impossible to reverse the has, it is not however impossible to guess password and salt combinations, but to go through all the possible combinations just for one hash, could potentially take years. If you find out what the salt for that user is, eg via compromised DB you're half way there, but you'll still have a long time to match including the salt.
                      You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible. I know our Comp classes we looked over this issue and worked out methods.

                      So it is NOT impossible. However, unless someone has LOTS of time or is bored. I don't see any use of it. Your better at guessing someone's password than going through with this method.

                      Comment

                      • Jobe1986
                        Senior Member
                        • Jan 2007
                        • 629
                        • 4.2.x

                        #12
                        Originally posted by FreshFroot_
                        You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible. I know our Comp classes we looked over this issue and worked out methods.

                        So it is NOT impossible. However, unless someone has LOTS of time or is bored. I don't see any use of it. Your better at guessing someone's password than going through with this method.
                        The key point to your argument is "encryption". MD5, SHA1 etc... are NOT encryption, they are hash algorithms. Designed to be irreversable. The ONLY way to find out what produces a hash the same is to repeatedly hash strings of data until you get the same result. You cannot otherwise undo the mathematical operation and get the exact string used. Now if you're trying to find what values make a simple hash then that wont take so long, but with vBulletin hashes you need to find out the salt too, which makes the job of finding a pattern that matches a hell of a lot harder, because with the salt, you have to find a salt, that when applied to the same password as the salt in the DB, will produce the SAME hash.
                        http://data.collectiveirc.net/status/user/Jobe.png

                        Comment

                        • Andreas
                          Senior Member
                          • Feb 2004
                          • 2323

                          #13
                          Originally posted by FreshFroot_
                          You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible.
                          I am sorry, but this is just wrong.

                          Hashing != Encrypting

                          You can't "decrypt" a hash, never.
                          You can, of course, find colissions (eg. strings that produce the hash you are after), but you'll never know if the string you found was actually the password.

                          Comment

                          • DelphiVillage
                            Senior Member
                            • Apr 2002
                            • 1051
                            • 4.1.x

                            #14
                            Originally posted by Andreas
                            I am sorry, but this is just wrong.

                            Hashing != Encrypting

                            You can't "decrypt" a hash, never.
                            You can, of course, find colissions (eg. strings that produce the hash you are after), but you'll never know if the string you found was actually the password .
                            Andreas is right folks ...you won't know if a string you found was actually the password you where after...

                            Comment

                            • BSchmits78
                              New Member
                              • Oct 2008
                              • 2

                              #15
                              I'm building a comment system for our newspages and I want to use the same username/password combination as our forum uses. Everything is set to go, the only thing I need to do is encrypt the password so it will be the same as the encrypted password in the database. Does anybody know how to do that?

                              Thanks,
                              Barry
                              Wakeboarden.org

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...