Ok, but I still need more information. Which encryption method are they using for the hash? MD5 doesn't take a salt, so it looks like they're taking the MD5 hashed password then doing something else with it.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've run into people like this before - they think their product is so important that they don't have to be compatible with anyone else - they can set the standards. It works in the short run - but that's all.
This will probably get me in trouble - but I'll say it anyway. I don't do business with people like this - they're holier than thou attitude is just too much trouble. My suggestion would be for you to find another BBS - there are numerous ones on the market.
And BTW - one of their claims to needing this security is that the encrypted password are stored in cookies. Anyone reasonably versed in security would tell you this is a huge security hole. You should NEVER save a password in a cookie. Or, if you do, it shouldn't be in plain text (it isn't) - but neither should it be identical to what's in the database (which it is).
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I got the same problem too. I asked vb support for something just md5, they said, I need major modification and they cannot do anything. I do not know what they are talking about as I only use vB for a few days. After search the vBulletin password encryption algorithm, I found that this is how they encrypted user password:
md5(md5(password)+salt);
Instead of changing vB code, I change mod_auth_mysql. Just a few line of code:
You are, of course, free to modify the code to suit your needs. However, we do not have the time to investigate problems with modified code, so unless you can duplicate a problem in the distributed module, you'll be out of luck. You'll also have to figure out how to add your code to new versions of the module.
My recommendation would be to go to a bulletin board which doesn't try to set their own standards.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just a bit of info on this one (for those who don't understand salt values):
A salt is a bit of random information added to the string before it's encrypted. This makes it statistically improbable that two users passwords would look the same when they are hashed. It also makes brute force attacks MUCH harder, as a malicious user can no longer use a pregenerated dictionary-hash association array (be it a database or standalone app) to quickly lookup potential passwords.
Just a little extra info for those who are curious.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, I'm familar with the reason for the salt field.
However, vBulletin uses a non-standard encryption method. We try to support all standard methods, but there is no end to the non-standard possibilities. There's no way we could cover them all - and if we do one, others can make a strong case for doing others.
I've tried talking with the vBulletin people, but they are adamant. They do NOT want to change the way they encrypt their data.
Their issue is that the encrypted password is stored in a cookie on the user's machine. Well, that in itself is an exposure! A better way for them to do it would be to use standard encyption within the database, and store a different encrypted password in a cookie. For instance, they could use a reversible method with a salt such as AES. That way the cookie on the user's machine would be specific to the site.
This is just one of many ways around the problem. But I'd never store a plain-text password or an encrypted password which matches the database entry in a cookie. It's too insecure.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Jerry,
I totally agree with you - vb does a poor job at security on this one. I hope it didn't sound like I was trying to "teach you something." I was just putting that out there for future readers who might get confused on it.
Sorry if that was unclear! :(
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I didn't really want to change anything at all. But I really need your module for my server. On top of that, I also need vBulletin. I was really mad when I know they didn't use standard encryption. To me double md5 doesn't make that much different, I didn't even need top security system. Anyway, thanks for creating this module. I really like it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Noproblem - I didn't take offense at anything in your message. I was just trying to explain why we haven't supported this encryption - and why it is inherently unsafe, despite the claims of the authors.
And tscbh,
My recommendation would be to look for another forum. I use phpbbs myself, with great success, and it's free. It had some security problems, but the developers have been great at resolving them.
Invisionboard is also common, but I don't know what they use for a back end. DiscusWare works well, but they manage their registrations in a flat file.
And thanks - but I didn't create the module. I'm just a lowly hacker who is trying to make it better.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am just a novice user, I want to look for something popular. Whenever I encounter the problem, I know that there are help that can easily be found out there. I think vBulletin is the most popular Board out there! That's why I bought it.
I might consider something else when I got a bit more experience.
Anyway, thanks again for your advice.
tscbh
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I saw some statistics on bbs's a while back. Unfortunately, I don't remember where it was - so this is only from memory.
In any case, PHPBBS was by far the most popular. InvisionBoard was next. vBulletin was further down the list. DiscusWare was the lowest I recognized, and not very prevalent at all.
But no, vBulletin isn't even close to being the most popular. It isn't even the most popular commercial board.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The popular forum software vbulletin now uses a combo of md5 + salt.
Any chances of authmysql being able to cope with this?
Hi,
I'm not at all familiar with vbulletin, and not sure what you're saying. Do they do an MD5 hash against the password, then crypt it?
If so, mod_auth_mysql doesn't currently support it, but it shouldn't be hard to add it.
If it's something else, could you please elaborate?
Thanks,
Jerry
They fetch the salt from the database first of all, then hash the MD5 password together with the salt.
Ok, but I still need more information. Which encryption method are they using for the hash? MD5 doesn't take a salt, so it looks like they're taking the MD5 hashed password then doing something else with it.
Jerry
I noticed your thread on vbulletin.com, im sorry they didnt take your comments on board :(
Thanks anyway
Thanks, I tried.
I've run into people like this before - they think their product is so important that they don't have to be compatible with anyone else - they can set the standards. It works in the short run - but that's all.
This will probably get me in trouble - but I'll say it anyway. I don't do business with people like this - they're holier than thou attitude is just too much trouble. My suggestion would be for you to find another BBS - there are numerous ones on the market.
And BTW - one of their claims to needing this security is that the encrypted password are stored in cookies. Anyone reasonably versed in security would tell you this is a huge security hole. You should NEVER save a password in a cookie. Or, if you do, it shouldn't be in plain text (it isn't) - but neither should it be identical to what's in the database (which it is).
Jerry
I got the same problem too. I asked vb support for something just md5, they said, I need major modification and they cannot do anything. I do not know what they are talking about as I only use vB for a few days. After search the vBulletin password encryption algorithm, I found that this is how they encrypted user password:
md5(md5(password)+salt);
Instead of changing vB code, I change mod_auth_mysql. Just a few line of code:
Replace:
{"md5", NO_SALT, pw_md5},
With:
{"md5", SALT_REQUIRED, pw_md5},
Replace:
return strcmp(real_pw,ap_md5(pool, (const unsigned char *) sent_pw)) == 0;
With:
return strcmp(real_pw,ap_md5(pool, strcat(ap_md5(pool,(const unsigned char *) sent_pw), salt))) == 0;
Now, you can authenticate vB user dababase.
Good luck!
tscbh,
You are, of course, free to modify the code to suit your needs. However, we do not have the time to investigate problems with modified code, so unless you can duplicate a problem in the distributed module, you'll be out of luck. You'll also have to figure out how to add your code to new versions of the module.
My recommendation would be to go to a bulletin board which doesn't try to set their own standards.
Just a bit of info on this one (for those who don't understand salt values):
A salt is a bit of random information added to the string before it's encrypted. This makes it statistically improbable that two users passwords would look the same when they are hashed. It also makes brute force attacks MUCH harder, as a malicious user can no longer use a pregenerated dictionary-hash association array (be it a database or standalone app) to quickly lookup potential passwords.
Just a little extra info for those who are curious.
Anocelot,
Yes, I'm familar with the reason for the salt field.
However, vBulletin uses a non-standard encryption method. We try to support all standard methods, but there is no end to the non-standard possibilities. There's no way we could cover them all - and if we do one, others can make a strong case for doing others.
I've tried talking with the vBulletin people, but they are adamant. They do NOT want to change the way they encrypt their data.
Their issue is that the encrypted password is stored in a cookie on the user's machine. Well, that in itself is an exposure! A better way for them to do it would be to use standard encyption within the database, and store a different encrypted password in a cookie. For instance, they could use a reversible method with a salt such as AES. That way the cookie on the user's machine would be specific to the site.
This is just one of many ways around the problem. But I'd never store a plain-text password or an encrypted password which matches the database entry in a cookie. It's too insecure.
Hi Jerry,
I totally agree with you - vb does a poor job at security on this one. I hope it didn't sound like I was trying to "teach you something." I was just putting that out there for future readers who might get confused on it.
Sorry if that was unclear! :(
Thanks for the advice Jerry,
I didn't really want to change anything at all. But I really need your module for my server. On top of that, I also need vBulletin. I was really mad when I know they didn't use standard encryption. To me double md5 doesn't make that much different, I didn't even need top security system. Anyway, thanks for creating this module. I really like it.
Anocelot,
Noproblem - I didn't take offense at anything in your message. I was just trying to explain why we haven't supported this encryption - and why it is inherently unsafe, despite the claims of the authors.
And tscbh,
My recommendation would be to look for another forum. I use phpbbs myself, with great success, and it's free. It had some security problems, but the developers have been great at resolving them.
Invisionboard is also common, but I don't know what they use for a back end. DiscusWare works well, but they manage their registrations in a flat file.
And thanks - but I didn't create the module. I'm just a lowly hacker who is trying to make it better.
Jerry
I am just a novice user, I want to look for something popular. Whenever I encounter the problem, I know that there are help that can easily be found out there. I think vBulletin is the most popular Board out there! That's why I bought it.
I might consider something else when I got a bit more experience.
Anyway, thanks again for your advice.
tscbh
I saw some statistics on bbs's a while back. Unfortunately, I don't remember where it was - so this is only from memory.
In any case, PHPBBS was by far the most popular. InvisionBoard was next. vBulletin was further down the list. DiscusWare was the lowest I recognized, and not very prevalent at all.
But no, vBulletin isn't even close to being the most popular. It isn't even the most popular commercial board.