Page 1 of 3

Bcrypt email addresses?

Posted: Wed Aug 22, 2018 5:43 pm
by John connor
Is it possible for phpBB to Bcrypt email addresses in the database? If so, I think that might just be a good idea in case someone were to have their database hacked.

Re: Bcrypt email addresses?

Posted: Wed Aug 22, 2018 8:15 pm
by canonknipser
BCrypt is a password hashing algorithm - if you use it for mail addresses, you can't restore them, so you can't send mails any longer.

Just use a good ftp and database password and change them frequently - and don't be too paranoid.

Re: Bcrypt email addresses?

Posted: Thu Aug 23, 2018 10:05 am
by Ger
Email addresses have a purpose in phpBB: notifications are sent to it, it's used for password recovery and for sending (mass) emails. So encrypted or not, the software would have to be able to decrypt it anyway.

Since Bcrypt is a hashing-algorithm, it's a one-way road. Once hashed, there is no way back unless you are willing to spend ages to brute forcing it. Also, symmetric encryption wouldn't help at all since phpBB would be able to decrypt it - and a hacker just needs to look at phpBB's Github to know how.

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 1:10 am
by John connor
My thinking was that since the forum can on the fly read the password as it's imputed with the PHP code, why can't it do the same thing for email addresses? Then if the database is stolen you have to not only crack Bcrypted passwords, but Bcrypted emails as well. Which is no small feat with Bcrypt.

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 1:34 am
by AbaddonOrmuz
John connor wrote:
Fri Aug 24, 2018 1:10 am
My thinking was that since the forum can on the fly read the password as it's imputed with the PHP code, why can't it do the same thing for email addresses? Then if the database is stolen you have to not only crack Bcrypted passwords, but Bcrypted emails as well. Which is no small feat with Bcrypt.
Passwords are not "read" they're compared, the string of the hash of the password stored in the database and the new hash generated when trying to log in.

Hashed passwords do not generate the same string even with the same salt, I'm not sure it that's also true for phpBB, in theory it should be.

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 7:22 am
by John connor
It is indeed true for different hashes as I've seen this.

So if Bcrypt is out for email protection, is there another method perhaps? Maybe like a one time pad sort of thing? :lol:

I'm sure all is possible with PHP code. I just wish I knew that code. But as of right now I'm trying to learn C++.

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 7:37 am
by Mick
Encryption?

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 8:15 am
by 3Di
Mick wrote:
Fri Aug 24, 2018 7:37 am
Encryption?
Bcrypt encripts.

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 8:45 am
by Paul
Encrypting email addresses doesn't makes much sense as well, as phpBB will need to know the encryption method + private key. Having that on the server a hacker will be able to access it as well, and as such decrypt the email addresses.
3Di wrote:
Fri Aug 24, 2018 8:15 am
Mick wrote:
Fri Aug 24, 2018 7:37 am
Encryption?
Bcrypt encripts.
No, it doesn't. See also https://www.securityinnovationeurope.co ... encrypting for what the difference is between encryption and hashing.

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 9:05 am
by canonknipser
Yes, but there is no Decryption with BCrypt ;) Encryption is used to create the hash.

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 9:58 am
by Paul
canonknipser wrote:
Fri Aug 24, 2018 9:05 am
Yes, but there is no Decryption with BCrypt ;) Encryption is used to create the hash.
And that's why it bcrypt is hashing and not encrypting 😊. Encrypting implies that it can be decrypted.

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 11:41 am
by thecoalman
canonknipser wrote:
Wed Aug 22, 2018 8:15 pm
Just use a good ftp and database password and change them frequently - and don't be too paranoid.
The issue is when someone hacks into the server by whatever means. They can then dump the user table. Minimally they might run a dictionary attack against the passwords and that will net them about 10% of the users on average. Now they have associated username, email address and password which they can then try on the email account site.

I use a throwaway password on many sites if I know I'll only be using it for brief time and it's inconsequential where no personal data is given. I just got an email the other day with this throwaway password listed in the email informing me they had video of me watching porn and would delete the video for $1000 . :P
John connor wrote:
Fri Aug 24, 2018 7:22 am
is there another method perhaps?
As Paul mentioned phpBB would have to be able to decrypt and for that to occur the key would have to be on the server making it pointless. You would have to disable all email features for that user and that would include password recovery. If you were using their password as the key the only thing it would become useful for at that point is if the user was logged in and you wanted to send a confirmation email for password change initiated through the ACP.

I did post an idea for encrypting PM's and designated user profile data but that is possible becsue the user(s) would be logged in and there is really only two or three parties that would need to be able to see it . Even that becomes fairly complicated.

viewtopic.php?f=436&t=2438626

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 11:59 am
by Mick
I wasn’t aware porn was illegal. If they intend to video everyone who watches porn they’re gonna need a helluva server to store the evidence, idiots!

(Presumably you paid ‘em? :lol:)

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 12:03 pm
by RMcGirr83
Did someone say porn? :twisted:

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 12:09 pm
by Mick
Steady on now Rich.