What encryption method is used by vBulletin to encypt passwords saved to the databse?
Encryption method of password
Collapse
X
-
anders | vbulletin team | check out the new vbulletin facebook app
Proudly vBulletin'ing since 2001
Please be my friend! http://www.twitter.com/inetskunkworks
vBulletin Performance Articles: Click here to read -
Comment
-
Sorry to split hairs here, but it is impossible to reverse the has, it is not however impossible to guess password and salt combinations, but to go through all the possible combinations just for one hash, could potentially take years. If you find out what the salt for that user is, eg via compromised DB you're half way there, but you'll still have a long time to match including the salt.Comment
-
This is impossible - you can't calculate the exact password out of a hash, as several passwords will produce the same hash - and there is really no way to tell which password was actually used.
(Which, of course, doesn't mean you won't be able to find such a colission, eg. a string that produces the hash you are after).Comment
-
Doesn't vBulletin use a triple hash?
I'm sure I read somewhere they md5 it more than once? Something along the lines of:
PHP Code:md5(md5(md5($password . $salt)))
Comment
-
The cookies that contains the password stored on the user's PC is:
md5(md5(md5($password) + $salt) + COOKIE_SALT)
COOKIE_SALT is the license ID of the software.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
Thanks wayne! That helped me understand
So the database:
Md5's password first.
Then it md5's the password (again) and the salt.
For the cookie:
md5's password first.
md5's the password (again) and the salt.
md5's the hash of above step + license ID?Comment
-
Yes.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
password
If you actually want to view your users passwords, simply edit out all the encryptions.
but then you would have to have a really strong security system on your server so that it doesn't get compromised.
I have my server and database on the same LAN, with the server on a static ip and the database not internet accessible, and connect the server to the database. and then the database has like $500/year worth of encryption software and security software. (its worth it to learn your users passwords :P)Comment
-
Sorry to split hairs here, but it is impossible to reverse the has, it is not however impossible to guess password and salt combinations, but to go through all the possible combinations just for one hash, could potentially take years. If you find out what the salt for that user is, eg via compromised DB you're half way there, but you'll still have a long time to match including the salt.
So it is NOT impossible. However, unless someone has LOTS of time or is bored. I don't see any use of it. Your better at guessing someone's password than going through with this method.Comment
-
You forget NO encryption is 100%. This encryption can also be decrypted. It won't be easy, and probably not worth most people's time. BUT it is NOT impossible. I know our Comp classes we looked over this issue and worked out methods.
So it is NOT impossible. However, unless someone has LOTS of time or is bored. I don't see any use of it. Your better at guessing someone's password than going through with this method.Comment
-
Hashing != Encrypting
You can't "decrypt" a hash, never.
You can, of course, find colissions (eg. strings that produce the hash you are after), but you'll never know if the string you found was actually the password.Comment
-
Andreas is right folks ...you won't know if a string you found was actually the password you where after...Comment
-
I'm building a comment system for our newspages and I want to use the same username/password combination as our forum uses. Everything is set to go, the only thing I need to do is encrypt the password so it will be the same as the encrypted password in the database. Does anybody know how to do that?
Thanks,
Barry
Wakeboarden.orgComment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment