Note the term "makes use of", as it is not JUST "MD5 with salting".phpBB3 uses phpass which makes use of MD5 with salting to help resist bruteforce attacks.
Or do I need to manually configure phpBB 3 to attain that level of security?hash = MD5 (password . salt)
phpBB uses a much more advanced hashing algorithm.ric323 wrote:Note the term "makes use of", as it is not JUST "MD5 with salting".
This algorithm is used by default, so no configuration required.zidanehead wrote:Or do I need to manually configure phpBB 3 to attain that level of security?
Actually, that changed as of 3.0.5 if I remember right (due to the DB being compromised here on .com). Conversions made on boards using the 3.0.5 installation script will have the old password hash also hashed using phpass...it's a bit messy how they have it done in the backend, but it means that they're still protected by the hashing now. Not sure if this also applies to updated boards, but I would expect that it is.Eelke wrote:With one exception. If you converted from phpbb2 or another forum solution that has a weaker hashing solution, the passwords for users that have never logged in since the conversion will be in the database hashed with the old system's algorithm. The password is stored using the new algorithm when the user logs in for the first time in the converted system.
We just phpbb_hash the md5 from the phpBB2 database and set a marker saying so. The next time the user logs in, the hash is updated and the marker removed.Desdenova wrote:Actually, that changed as of 3.0.5 if I remember right (due to the DB being compromised here on .com). Conversions made on boards using the 3.0.5 installation script will have the old password hash also hashed using phpass...it's a bit messy how they have it done in the backend, but it means that they're still protected by the hashing now. Not sure if this also applies to updated boards, but I would expect that it is.
This feature was implemented in the same version that the new hashing algorithm was added, 3.0.RC7 if memory serves.Desdenova wrote:I thought so. It didn't use to be like that though, in prior versions...I just can't remember for the life of me which it was that it was introduced in. Blargh.