Passwords are not "read" they're compared, the string of the hash of the password stored in the database and the new hash generated when trying to log in.John connor wrote: ↑Fri Aug 24, 2018 1:10 amMy thinking was that since the forum can on the fly read the password as it's imputed with the PHP code, why can't it do the same thing for email addresses? Then if the database is stolen you have to not only crack Bcrypted passwords, but Bcrypted emails as well. Which is no small feat with Bcrypt.
No, it doesn't. See also https://www.securityinnovationeurope.co ... encrypting for what the difference is between encryption and hashing.
And that's why it bcrypt is hashing and not encrypting . Encrypting implies that it can be decrypted.
The issue is when someone hacks into the server by whatever means. They can then dump the user table. Minimally they might run a dictionary attack against the passwords and that will net them about 10% of the users on average. Now they have associated username, email address and password which they can then try on the email account site.
As Paul mentioned phpBB would have to be able to decrypt and for that to occur the key would have to be on the server making it pointless. You would have to disable all email features for that user and that would include password recovery. If you were using their password as the key the only thing it would become useful for at that point is if the user was logged in and you wanted to send a confirmation email for password change initiated through the ACP.
Users browsing this forum: No registered users and 25 guests