Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Enforced use of MD5 based hashing algorithm in PHPass?
martz
New
Why are passwords saved using a MD5 based algorithm? According to the documentation of PHPass this is only necessary for older systems. It literally states: "Do we require the hashes to be portable to older systems (less secure)?"
Also I changed the Vanilla code to enable the stronger algorithms, but then BONK appears..
I am currently setting up Vanilla (great forum!) for a project. In this project users can also sign up through an alternative (non PHP) interface. So I spent some time digging into the password mechanism and all that.
In my Vanilla install all passwords are saved as type 'Vanilla' (PHPass) and start with $P$, this basically is a MD5 based hashing algorithm. I expected the passwords to start with $2a$ (Blowfish based algorithm, more secure and recommended), but it seems that the constructor of class.passwordhash.php sets $portable_hashes to true and thus enforces the MD5 based algorithm.
The function header mentions a TODO regarding making the settings configurable, so maybe it's planned. Anyway I changed the setting to false, but then Vanilla gives the BONK screen when a new user signs up, his password is saved in the DB (only it seems incorrectly saved, as it misses the leading $2a$.
Maybe somebody can give some more info about this, or correct me - I do not know PHP too well.
Also I changed the Vanilla code to enable the stronger algorithms, but then BONK appears..
I am currently setting up Vanilla (great forum!) for a project. In this project users can also sign up through an alternative (non PHP) interface. So I spent some time digging into the password mechanism and all that.
In my Vanilla install all passwords are saved as type 'Vanilla' (PHPass) and start with $P$, this basically is a MD5 based hashing algorithm. I expected the passwords to start with $2a$ (Blowfish based algorithm, more secure and recommended), but it seems that the constructor of class.passwordhash.php sets $portable_hashes to true and thus enforces the MD5 based algorithm.
The function header mentions a TODO regarding making the settings configurable, so maybe it's planned. Anyway I changed the setting to false, but then Vanilla gives the BONK screen when a new user signs up, his password is saved in the DB (only it seems incorrectly saved, as it misses the leading $2a$.
Maybe somebody can give some more info about this, or correct me - I do not know PHP too well.
0
Comments