Current status: Submitted to the MOD DB for validation.
Description: This modification changes phpBB to use encryption instead of hashing for passwords. This mod utilizes mcrypt, which supports the most powerful encryption types available. For more information on customizing the encryption for your forum check out the FAQ.
This mod can be installed to a live environment. When a user successfully logs in for the first time after the mod is installed their password will be re-encrypted.
Current Version: v1.2.1
Requirements: You PHP configuration must support mcrypt as well as whichever encryption scheme you wish to use.
- Support enhanced password encryption
- Customizable: ability to change encryption type and other things all from one config file
- Can be installed to live boards seamlessly
http://hootworld.net/Enhanced%20Passwor ... yption.zip (v1.2.1 download, 39KB)
http://www.phpbb.com/customise/db/mod/e ... ncryption/ (general information)
What does dynamic keys mean for security?
Every encryption key used is unique to the password and user. This means in the event that a hacker obtains the encrypted passwords that each and every user's password will need to be cracked individually. It also means that passwords that are the same won't show up as the same in the database (like salted hashes). The stronger a user's password, the longer this will take. Additionally, without access to the phpBB constants a hacker would have no idea what encryption scheme is being used.
- Changed key extending to happen before the encode.
- Added looped hashing.
- Encryption key is now dynamic and based off of the password and initialization vector. This means each password has it's own encryption key.
- Fixed the SQL error in login_forum_box function.
- Heavily modified the ModX install script.
- SQL queries for install are now done with UMIL.
- Forced re-login when attempting to change password from UCP before old password is converted to the new encryption.
- Made some small changes to make compatible with 3.0.10.
- Fixed MOD X SQL queries.
- Simplified password re-encryption process after mod install. Users now only need to log in.
- Implemented small code adjustments to meet PHPBB mod requirements.
- Fixed installation file to cover various DBMS.
- Fixed "account already activated" error with forgot password email activation link.
- Updated encryption_config.php as well as the encryption code to make changes to the encryption type easier.
- Initial submission to the MOD DB.
Please feel free to suggest features you might want included.