Page 1 of 2

Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 9:51 am
by zidanehead
Does phpBB3 save my passwords with sha1 or md5 encryption?

What procedures should I follow in case my website gets hacked and the database is revealed to the entire world?

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 9:57 am
by ric323
From Knowledge Base - Difference between encryption and hashing
phpBB3 uses phpass which makes use of MD5 with salting to help resist bruteforce attacks.
Note the term "makes use of", as it is not JUST "MD5 with salting". ;)

If your database was compromised, then you should advise your users to change their passwords, but it is extremely unlikely the attacker will be able to crack them anyway.

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 10:37 am
by zidanehead
tnx! :P

Or wait! So if my database would get compromised, and most likely won't get cracked open.
Then how does this rainbow tables thingy relate to this scenario? If I have understood things correctly then rainbow tables isn't about cracking things open.

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 11:17 am
by AdamR
With a salted+hashed password (such as the one in this case), rainbow tables become increasingly useless the more complex the salt combined with the hash. So while it is possible, it's not plausible (provided a strong password) that a collision would be found. At least, not in a reasonable amount of time.

A bit more info on rainbow tables. :)

- Adam

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 11:37 am
by zidanehead
According to that wiki if I haven't misinterpreted things. Does phpBB 3 protect my database with this by default?
hash = MD5 (password . salt)
Or do I need to manually configure phpBB 3 to attain that level of security?

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 12:02 pm
by Erik Frèrejean
No phpBB doesn't use a salt and than MD5,
ric323 wrote:Note the term "makes use of", as it is not JUST "MD5 with salting". ;)
phpBB uses a much more advanced hashing algorithm.
zidanehead wrote:Or do I need to manually configure phpBB 3 to attain that level of security?
This algorithm is used by default, so no configuration required.

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 12:48 pm
by zidanehead
Yay! :P

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 3:36 pm
by Eelke
With one exception. If you converted from phpbb2 or another forum solution that has a weaker hashing solution, the passwords for users that have never logged in since the conversion will be in the database hashed with the old system's algorithm. The password is stored using the new algorithm when the user logs in for the first time in the converted system.

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 3:55 pm
by Techie-Micheal
Not to nitpick, but SHA1 and MD5 (along with what phpBB3 uses) are hashing algorithms, and not encryption algorithms.

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 4:02 pm
by Desdenova
Eelke wrote:With one exception. If you converted from phpbb2 or another forum solution that has a weaker hashing solution, the passwords for users that have never logged in since the conversion will be in the database hashed with the old system's algorithm. The password is stored using the new algorithm when the user logs in for the first time in the converted system.
Actually, that changed as of 3.0.5 if I remember right (due to the DB being compromised here on .com). Conversions made on boards using the 3.0.5 installation script will have the old password hash also hashed using phpass...it's a bit messy how they have it done in the backend, but it means that they're still protected by the hashing now. Not sure if this also applies to updated boards, but I would expect that it is.

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 6:45 pm
by Marshalrusty
Desdenova wrote:Actually, that changed as of 3.0.5 if I remember right (due to the DB being compromised here on .com). Conversions made on boards using the 3.0.5 installation script will have the old password hash also hashed using phpass...it's a bit messy how they have it done in the backend, but it means that they're still protected by the hashing now. Not sure if this also applies to updated boards, but I would expect that it is.
We just phpbb_hash the md5 from the phpBB2 database and set a marker saying so. The next time the user logs in, the hash is updated and the marker removed.

This way, no simple md5 hashes are stored in the database, even for users who registered on phpBB2 and never authenticate with phpBB3.

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Thu Jan 28, 2010 7:02 pm
by Desdenova
I thought so. It didn't use to be like that though, in prior versions...I just can't remember for the life of me which it was that it was introduced in. Blargh. :evil:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Fri Jan 29, 2010 1:53 am
by A_Jelly_Doughnut
Desdenova wrote:I thought so. It didn't use to be like that though, in prior versions...I just can't remember for the life of me which it was that it was introduced in. Blargh. :evil:
This feature was implemented in the same version that the new hashing algorithm was added, 3.0.RC7 if memory serves.

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Fri Jan 29, 2010 2:18 am
by Desdenova
No, it wasn't. I know it wasn't, I remember seeing the commit, sometime after phpBB.com was hacked.
EDIT: Found it. Reference commit r9312.

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Posted: Fri Jan 29, 2010 4:44 am
by A_Jelly_Doughnut
It appears we were talking about two different things. I can't remember now if I didn't read marshalrusty's post, or if I misread it, before replying. :oops: