Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Enforced use of MD5 based hashing algorithm in PHPass?

martzmartz New
edited July 2010 in Vanilla 2.0 - 2.8
Why are passwords saved using a MD5 based algorithm? According to the documentation of PHPass this is only necessary for older systems. It literally states: "Do we require the hashes to be portable to older systems (less secure)?"

Also I changed the Vanilla code to enable the stronger algorithms, but then BONK appears..

I am currently setting up Vanilla (great forum!) for a project. In this project users can also sign up through an alternative (non PHP) interface. So I spent some time digging into the password mechanism and all that.

In my Vanilla install all passwords are saved as type 'Vanilla' (PHPass) and start with $P$, this basically is a MD5 based hashing algorithm. I expected the passwords to start with $2a$ (Blowfish based algorithm, more secure and recommended), but it seems that the constructor of class.passwordhash.php sets $portable_hashes to true and thus enforces the MD5 based algorithm.

The function header mentions a TODO regarding making the settings configurable, so maybe it's planned. Anyway I changed the setting to false, but then Vanilla gives the BONK screen when a new user signs up, his password is saved in the DB (only it seems incorrectly saved, as it misses the leading $2a$.

Maybe somebody can give some more info about this, or correct me - I do not know PHP too well.


  • Options
    Maybe it is not that important, I just reread some text on the PHPass site which states: "The choice of the underlying cryptographic primitive - such as MD5, SHA-1, SHA-256, or even Blowfish or DES (which are block ciphers, yet they may be used to construct one-way hashes) - does not matter all that much. It's the higher-level password hashing method, employing salting and stretching, that makes a difference."
Sign In or Register to comment.