Bcrypt email addresses?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
John connor
Registered User
Posts: 1790
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Bcrypt email addresses?

Post by John connor » Wed Aug 22, 2018 5:43 pm

Is it possible for phpBB to Bcrypt email addresses in the database? If so, I think that might just be a good idea in case someone were to have their database hacked.

User avatar
canonknipser
Registered User
Posts: 1650
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Bcrypt email addresses?

Post by canonknipser » Wed Aug 22, 2018 8:15 pm

BCrypt is a password hashing algorithm - if you use it for mail addresses, you can't restore them, so you can't send mails any longer.

Just use a good ftp and database password and change them frequently - and don't be too paranoid.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
Ger
Recognised Extension Developer
Posts: 1771
Joined: Wed Jan 02, 2008 7:35 pm
Location: 192.168.1.100
Contact:

Re: Bcrypt email addresses?

Post by Ger » Thu Aug 23, 2018 10:05 am

Email addresses have a purpose in phpBB: notifications are sent to it, it's used for password recovery and for sending (mass) emails. So encrypted or not, the software would have to be able to decrypt it anyway.

Since Bcrypt is a hashing-algorithm, it's a one-way road. Once hashed, there is no way back unless you are willing to spend ages to brute forcing it. Also, symmetric encryption wouldn't help at all since phpBB would be able to decrypt it - and a hacker just needs to look at phpBB's Github to know how.
My extensions:
Simple CMS, Feed post bot, Avatar Resize, Modbreak, Magic OGP, Live topic update, Modern Quote, Quoted Where (GDPR) and Autoresponder.
Newest: FAQ manager for 3.2

Like my work? Buy me a coffee to keep it coming. :ugeek:
-Available for custom work-

User avatar
John connor
Registered User
Posts: 1790
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: Bcrypt email addresses?

Post by John connor » Fri Aug 24, 2018 1:10 am

My thinking was that since the forum can on the fly read the password as it's imputed with the PHP code, why can't it do the same thing for email addresses? Then if the database is stolen you have to not only crack Bcrypted passwords, but Bcrypted emails as well. Which is no small feat with Bcrypt.

User avatar
AbaddonOrmuz
Registered User
Posts: 407
Joined: Wed Dec 25, 2013 9:06 pm
Location: /dev/null
Name: Alfredo Ramos
Contact:

Re: Bcrypt email addresses?

Post by AbaddonOrmuz » Fri Aug 24, 2018 1:34 am

John connor wrote:
Fri Aug 24, 2018 1:10 am
My thinking was that since the forum can on the fly read the password as it's imputed with the PHP code, why can't it do the same thing for email addresses? Then if the database is stolen you have to not only crack Bcrypted passwords, but Bcrypted emails as well. Which is no small feat with Bcrypt.
Passwords are not "read" they're compared, the string of the hash of the password stored in the database and the new hash generated when trying to log in.

Hashed passwords do not generate the same string even with the same salt, I'm not sure it that's also true for phpBB, in theory it should be.
A proudly user of Arch Linux :: /r/sddm_themes

User avatar
John connor
Registered User
Posts: 1790
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: Bcrypt email addresses?

Post by John connor » Fri Aug 24, 2018 7:22 am

It is indeed true for different hashes as I've seen this.

So if Bcrypt is out for email protection, is there another method perhaps? Maybe like a one time pad sort of thing? :lol:

I'm sure all is possible with PHP code. I just wish I knew that code. But as of right now I'm trying to learn C++.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 20237
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Bcrypt email addresses?

Post by Mick » Fri Aug 24, 2018 7:37 am

Encryption?
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

User avatar
3Di
Registered User
Posts: 12983
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Bcrypt email addresses?

Post by 3Di » Fri Aug 24, 2018 8:15 am

Mick wrote:
Fri Aug 24, 2018 7:37 am
Encryption?
Bcrypt encripts.
Want to compensate me for my interest? Donate
Please PM me only to request paid works. Thx.
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

User avatar
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 24740
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Bcrypt email addresses?

Post by Paul » Fri Aug 24, 2018 8:45 am

Encrypting email addresses doesn't makes much sense as well, as phpBB will need to know the encryption method + private key. Having that on the server a hacker will be able to access it as well, and as such decrypt the email addresses.
3Di wrote:
Fri Aug 24, 2018 8:15 am
Mick wrote:
Fri Aug 24, 2018 7:37 am
Encryption?
Bcrypt encripts.
No, it doesn't. See also https://www.securityinnovationeurope.co ... encrypting for what the difference is between encryption and hashing.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

User avatar
canonknipser
Registered User
Posts: 1650
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Bcrypt email addresses?

Post by canonknipser » Fri Aug 24, 2018 9:05 am

Yes, but there is no Decryption with BCrypt ;) Encryption is used to create the hash.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 24740
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Bcrypt email addresses?

Post by Paul » Fri Aug 24, 2018 9:58 am

canonknipser wrote:
Fri Aug 24, 2018 9:05 am
Yes, but there is no Decryption with BCrypt ;) Encryption is used to create the hash.
And that's why it bcrypt is hashing and not encrypting 😊. Encrypting implies that it can be decrypted.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2801
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Bcrypt email addresses?

Post by thecoalman » Fri Aug 24, 2018 11:41 am

canonknipser wrote:
Wed Aug 22, 2018 8:15 pm
Just use a good ftp and database password and change them frequently - and don't be too paranoid.
The issue is when someone hacks into the server by whatever means. They can then dump the user table. Minimally they might run a dictionary attack against the passwords and that will net them about 10% of the users on average. Now they have associated username, email address and password which they can then try on the email account site.

I use a throwaway password on many sites if I know I'll only be using it for brief time and it's inconsequential where no personal data is given. I just got an email the other day with this throwaway password listed in the email informing me they had video of me watching porn and would delete the video for $1000 . :P
John connor wrote:
Fri Aug 24, 2018 7:22 am
is there another method perhaps?
As Paul mentioned phpBB would have to be able to decrypt and for that to occur the key would have to be on the server making it pointless. You would have to disable all email features for that user and that would include password recovery. If you were using their password as the key the only thing it would become useful for at that point is if the user was logged in and you wanted to send a confirmation email for password change initiated through the ACP.

I did post an idea for encrypting PM's and designated user profile data but that is possible becsue the user(s) would be logged in and there is really only two or three parties that would need to be able to see it . Even that becomes fairly complicated.

viewtopic.php?f=436&t=2438626

User avatar
Mick
Support Team Member
Support Team Member
Posts: 20237
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Bcrypt email addresses?

Post by Mick » Fri Aug 24, 2018 11:59 am

I wasn’t aware porn was illegal. If they intend to video everyone who watches porn they’re gonna need a helluva server to store the evidence, idiots!

(Presumably you paid ‘em? :lol:)
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

User avatar
RMcGirr83
Recognised Extension Developer
Posts: 20953
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr
Contact:

Re: Bcrypt email addresses?

Post by RMcGirr83 » Fri Aug 24, 2018 12:03 pm

Did someone say porn? :twisted:
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored

User avatar
Mick
Support Team Member
Support Team Member
Posts: 20237
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Bcrypt email addresses?

Post by Mick » Fri Aug 24, 2018 12:09 pm

Steady on now Rich.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 27 guests