Does phpBB3 save my passwords with sha1 or md5 encryption?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
User avatar
zidanehead
Registered User
Posts: 24
Joined: Wed Jan 27, 2010 3:37 pm
Contact:

Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by zidanehead »

Does phpBB3 save my passwords with sha1 or md5 encryption?

What procedures should I follow in case my website gets hacked and the database is revealed to the entire world?
User avatar
ric323
Former Team Member
Posts: 22910
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by ric323 »

From Knowledge Base - Difference between encryption and hashing
phpBB3 uses phpass which makes use of MD5 with salting to help resist bruteforce attacks.
Note the term "makes use of", as it is not JUST "MD5 with salting". ;)

If your database was compromised, then you should advise your users to change their passwords, but it is extremely unlikely the attacker will be able to crack them anyway.
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions
User avatar
zidanehead
Registered User
Posts: 24
Joined: Wed Jan 27, 2010 3:37 pm
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by zidanehead »

tnx! :P

Or wait! So if my database would get compromised, and most likely won't get cracked open.
Then how does this rainbow tables thingy relate to this scenario? If I have understood things correctly then rainbow tables isn't about cracking things open.
User avatar
AdamR
Former Team Member
Posts: 9731
Joined: Tue Mar 02, 2004 5:40 pm
Location: Tampa, Florida
Name: Adam Reyher
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by AdamR »

With a salted+hashed password (such as the one in this case), rainbow tables become increasingly useless the more complex the salt combined with the hash. So while it is possible, it's not plausible (provided a strong password) that a collision would be found. At least, not in a reasonable amount of time.

A bit more info on rainbow tables. :)

- Adam
phpBB Support: Welcome | Userguide | Knowledge Base | Search
Honored supporter of the phpBB Group!
"If I have seen a little further it is by standing on the shoulders of Giants." - Isaac Newton
User avatar
zidanehead
Registered User
Posts: 24
Joined: Wed Jan 27, 2010 3:37 pm
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by zidanehead »

According to that wiki if I haven't misinterpreted things. Does phpBB 3 protect my database with this by default?
hash = MD5 (password . salt)
Or do I need to manually configure phpBB 3 to attain that level of security?
User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by Erik Frèrejean »

No phpBB doesn't use a salt and than MD5,
ric323 wrote:Note the term "makes use of", as it is not JUST "MD5 with salting". ;)
phpBB uses a much more advanced hashing algorithm.
zidanehead wrote:Or do I need to manually configure phpBB 3 to attain that level of security?
This algorithm is used by default, so no configuration required.
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)
User avatar
zidanehead
Registered User
Posts: 24
Joined: Wed Jan 27, 2010 3:37 pm
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by zidanehead »

Yay! :P
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by Eelke »

With one exception. If you converted from phpbb2 or another forum solution that has a weaker hashing solution, the passwords for users that have never logged in since the conversion will be in the database hashed with the old system's algorithm. The password is stored using the new algorithm when the user logs in for the first time in the converted system.
User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by Techie-Micheal »

Not to nitpick, but SHA1 and MD5 (along with what phpBB3 uses) are hashing algorithms, and not encryption algorithms.
Proven Offensive Security Expertise. OSCP - GXPN
Desdenova
Registered User
Posts: 646
Joined: Sat Feb 23, 2008 7:25 pm

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by Desdenova »

Eelke wrote:With one exception. If you converted from phpbb2 or another forum solution that has a weaker hashing solution, the passwords for users that have never logged in since the conversion will be in the database hashed with the old system's algorithm. The password is stored using the new algorithm when the user logs in for the first time in the converted system.
Actually, that changed as of 3.0.5 if I remember right (due to the DB being compromised here on .com). Conversions made on boards using the 3.0.5 installation script will have the old password hash also hashed using phpass...it's a bit messy how they have it done in the backend, but it means that they're still protected by the hashing now. Not sure if this also applies to updated boards, but I would expect that it is.
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29298
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by Marshalrusty »

Desdenova wrote:Actually, that changed as of 3.0.5 if I remember right (due to the DB being compromised here on .com). Conversions made on boards using the 3.0.5 installation script will have the old password hash also hashed using phpass...it's a bit messy how they have it done in the backend, but it means that they're still protected by the hashing now. Not sure if this also applies to updated boards, but I would expect that it is.
We just phpbb_hash the md5 from the phpBB2 database and set a marker saying so. The next time the user logs in, the hash is updated and the marker removed.

This way, no simple md5 hashes are stored in the database, even for users who registered on phpBB2 and never authenticate with phpBB3.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
Desdenova
Registered User
Posts: 646
Joined: Sat Feb 23, 2008 7:25 pm

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by Desdenova »

I thought so. It didn't use to be like that though, in prior versions...I just can't remember for the life of me which it was that it was introduced in. Blargh. :evil:
User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34457
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by A_Jelly_Doughnut »

Desdenova wrote:I thought so. It didn't use to be like that though, in prior versions...I just can't remember for the life of me which it was that it was introduced in. Blargh. :evil:
This feature was implemented in the same version that the new hashing algorithm was added, 3.0.RC7 if memory serves.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish
Desdenova
Registered User
Posts: 646
Joined: Sat Feb 23, 2008 7:25 pm

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by Desdenova »

No, it wasn't. I know it wasn't, I remember seeing the commit, sometime after phpBB.com was hacked.
EDIT: Found it. Reference commit r9312.
User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34457
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run
Contact:

Re: Does phpBB3 save my passwords with sha1 or md5 encryption?

Post by A_Jelly_Doughnut »

It appears we were talking about two different things. I can't remember now if I didn't read marshalrusty's post, or if I misread it, before replying. :oops:
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish
Post Reply

Return to “phpBB Discussion”