Enforced use of MD5 based hashing algorithm in PHPass?

martz

Why are passwords saved using a MD5 based algorithm? According to the documentation of PHPass this is only necessary for older systems. It literally states: "Do we require the hashes to be portable to older systems (less secure)?"

Also I changed the Vanilla code to enable the stronger algorithms, but then BONK appears..

I am currently setting up Vanilla (great forum!) for a project. In this project users can also sign up through an alternative (non PHP) interface. So I spent some time digging into the password mechanism and all that.

In my Vanilla install all passwords are saved as type 'Vanilla' (PHPass) and start with $P$, this basically is a MD5 based hashing algorithm. I expected the passwords to start with $2a$ (Blowfish based algorithm, more secure and recommended), but it seems that the constructor of class.passwordhash.php sets $portable_hashes to true and thus enforces the MD5 based algorithm.

The function header mentions a TODO regarding making the settings configurable, so maybe it's planned. Anyway I changed the setting to false, but then Vanilla gives the BONK screen when a new user signs up, his password is saved in the DB (only it seems incorrectly saved, as it misses the leading $2a$.

Maybe somebody can give some more info about this, or correct me - I do not know PHP too well.

martz

Maybe it is not that important, I just reread some text on the PHPass site which states: "The choice of the underlying cryptographic primitive - such as MD5, SHA-1, SHA-256, or even Blowfish or DES (which are block ciphers, yet they may be used to construct one-way hashes) - does not matter all that much. It's the higher-level password hashing method, employing salting and stretching, that makes a difference."