0

it seems like phpbb, mybb, and vbulletin and others i come across all use md5. i'd like to do integration with my main site's authentication with something more secure (sha or just the builtin crypt('password', "$salt")), but don't want to hack up a dependency to pieces so it becomes difficult to upgrade. Any ideas?

inman320
  • 501
  • 3
  • 13
  • 1
    First off, (while I also use SHA256+) I think you might find that MD5 with a good password/phrase and user salt + site salt isn't breakable. Sure you hear reports about how easy it is to crack simple passwords with brute force attempts - but you can do that with SHA2 also. Any hashing scheme needs more entropy than just a simple 7 character password. See http://xckd.com/936/ – Xeoncross Sep 27 '11 at 17:53
  • 1
    This question is not helpful IMHO. MyBB for example uses the `md5` algo, but it uses salts and such, so I really wonder about what OP is concerned here. – hakre Sep 27 '11 at 17:57
  • @Col. Shrapnel MD5 is designed for speed, which makes it easy to brute force. F-secure wrote [an article](http://www.f-secure.com/weblog/archives/00002095.html) about it a while ago. – Useless Code Sep 27 '11 at 18:07
  • @Xenocross One of the bigger problems with MD5 is that it is prone to collision. Which means that it does not matter if you have a "secure" password and it doesn't matter if you salt. All an attacker needs is to find a string with the same digest. – Jason Dean Sep 27 '11 at 18:34
  • @IgnacioVazquez-Abrams i have a question about the difference, maybe you could answer? http://stackoverflow.com/questions/7574023/how-is-an-md5-or-shx-hash-different-from-an-encryption – inman320 Sep 27 '11 at 18:35
  • @hakre i'd like to have some flexibility because i need to integrate the forum into a main site. if i have to use MyBB's md5 hashed passwords for the forum login, it becomes a hassle to integrate with a non-md5 authenticated site for single site login. – inman320 Sep 27 '11 at 19:00
  • @inman320: Looks like md5 is less the issue, but you need a forum software that has an interface to authentication, like ldap or some plugin. I don't know any of the forums you listed in specific which support such from the top of my head. – hakre Sep 27 '11 at 19:08
  • @hakre my own use case is database authentication, but i just assumed that would also be the most common. still looking for a good solution. – inman320 Sep 27 '11 at 19:12
  • @inman320: This should be easy to deal with, maybe you only need to do some homework? MyBB: `md5(md5($salt).$password);`, salt should be found in the db per user as per http://community.mybb.com/post-555275.html. When you research that for forums in question you will learn what alternatives each software provides. Maybe you find something that fits your needs. – hakre Sep 27 '11 at 19:20
  • @hakre i want my users to be able to login to my site, which uses crypt() with a salt, but also simultaneously login to the forum. i was trying to have the same username and password for both the site and forum, with a one to one in the database for phpbb_ prefixed username and password tables. i'm rethinking it now, possibly just have the same username and have two different passwords with the forum password generated from an md5 hash of the regular password. it might not be as secure as the main site, but since it's only giving access to the forum it just might work. – inman320 Sep 27 '11 at 19:30
  • Related: http://stackoverflow.com/questions/1309280/can-i-use-phpbb-as-a-fake-identification-provider - check the related questions on that question as well. – hakre Sep 27 '11 at 20:38

1 Answers1

-1

What's wrong with MD5? This is what's wrong: MD5 + one salt + another salt applied to a six-character password is breakable these days, with current PC hardware, in seconds, just by brute force alone.

Have a look at this SO discussion and also at this one here.

Then google bcrypt and glance at some of the references.

MD5 just does not do it.

Community
  • 1
  • 1
Pete Wilson
  • 8,610
  • 6
  • 39
  • 51