Bcrypt email addresses?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Bcrypt email addresses?

Post by 2600 »

Is it possible for phpBB to Bcrypt email addresses in the database? If so, I think that might just be a good idea in case someone were to have their database hacked.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Bcrypt email addresses?

Post by canonknipser »

BCrypt is a password hashing algorithm - if you use it for mail addresses, you can't restore them, so you can't send mails any longer.

Just use a good ftp and database password and change them frequently - and don't be too paranoid.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
Ger
Recognised Extension Developer
Posts: 1978
Joined: Wed Jan 02, 2008 7:35 pm
Location: 192.168.1.100
Contact:

Re: Bcrypt email addresses?

Post by Ger »

Email addresses have a purpose in phpBB: notifications are sent to it, it's used for password recovery and for sending (mass) emails. So encrypted or not, the software would have to be able to decrypt it anyway.

Since Bcrypt is a hashing-algorithm, it's a one-way road. Once hashed, there is no way back unless you are willing to spend ages to brute forcing it. Also, symmetric encryption wouldn't help at all since phpBB would be able to decrypt it - and a hacker just needs to look at phpBB's Github to know how.
My extensions:
Simple CMS, Feed post bot, Avatar Resize, Modbreak, Magic OGP, Live topic update, Modern Quote, Quoted Where (GDPR) and Autoresponder.
Newest: FAQ manager for 3.2

Like my work? Buy me a coffee to keep it coming. :ugeek:

-Don't PM me for support-
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: Bcrypt email addresses?

Post by 2600 »

My thinking was that since the forum can on the fly read the password as it's imputed with the PHP code, why can't it do the same thing for email addresses? Then if the database is stolen you have to not only crack Bcrypted passwords, but Bcrypted emails as well. Which is no small feat with Bcrypt.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
AbaddonOrmuz
Recognised Extension Developer
Posts: 1047
Joined: Wed Dec 25, 2013 9:06 pm
Location: /dev/null
Name: Alfredo
Contact:

Re: Bcrypt email addresses?

Post by AbaddonOrmuz »

John connor wrote:
Fri Aug 24, 2018 1:10 am
My thinking was that since the forum can on the fly read the password as it's imputed with the PHP code, why can't it do the same thing for email addresses? Then if the database is stolen you have to not only crack Bcrypted passwords, but Bcrypted emails as well. Which is no small feat with Bcrypt.
Passwords are not "read" they're compared, the string of the hash of the password stored in the database and the new hash generated when trying to log in.

Hashed passwords do not generate the same string even with the same salt, I'm not sure it that's also true for phpBB, in theory it should be.
Some of my phpBB extensions:
Image Imgur | :chart_with_upwards_trend: SEO Metadata | Image Markdown | :lock: Auto-lock Topics
:trophy: Check out all my validated extensions :trophy:

:penguin: Arch Linux user :penguin:
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: Bcrypt email addresses?

Post by 2600 »

It is indeed true for different hashes as I've seen this.

So if Bcrypt is out for email protection, is there another method perhaps? Maybe like a one time pad sort of thing? :lol:

I'm sure all is possible with PHP code. I just wish I knew that code. But as of right now I'm trying to learn C++.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22958
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: Bcrypt email addresses?

Post by Mick »

Encryption?
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
3Di
Former Team Member
Posts: 16092
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milano 🇮🇹 Frankfurt 🇩🇪
Name: Marco
Contact:

Re: Bcrypt email addresses?

Post by 3Di »

Mick wrote:
Fri Aug 24, 2018 7:37 am
Encryption?
Bcrypt encripts.
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 27130
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Bcrypt email addresses?

Post by Paul »

Encrypting email addresses doesn't makes much sense as well, as phpBB will need to know the encryption method + private key. Having that on the server a hacker will be able to access it as well, and as such decrypt the email addresses.
3Di wrote:
Fri Aug 24, 2018 8:15 am
Mick wrote:
Fri Aug 24, 2018 7:37 am
Encryption?
Bcrypt encripts.
No, it doesn't. See also https://www.securityinnovationeurope.co ... encrypting for what the difference is between encryption and hashing.
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Bcrypt email addresses?

Post by canonknipser »

Yes, but there is no Decryption with BCrypt ;) Encryption is used to create the hash.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 27130
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Bcrypt email addresses?

Post by Paul »

canonknipser wrote:
Fri Aug 24, 2018 9:05 am
Yes, but there is no Decryption with BCrypt ;) Encryption is used to create the hash.
And that's why it bcrypt is hashing and not encrypting 😊. Encrypting implies that it can be decrypted.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 4259
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Bcrypt email addresses?

Post by thecoalman »

canonknipser wrote:
Wed Aug 22, 2018 8:15 pm
Just use a good ftp and database password and change them frequently - and don't be too paranoid.
The issue is when someone hacks into the server by whatever means. They can then dump the user table. Minimally they might run a dictionary attack against the passwords and that will net them about 10% of the users on average. Now they have associated username, email address and password which they can then try on the email account site.

I use a throwaway password on many sites if I know I'll only be using it for brief time and it's inconsequential where no personal data is given. I just got an email the other day with this throwaway password listed in the email informing me they had video of me watching porn and would delete the video for $1000 . :P
John connor wrote:
Fri Aug 24, 2018 7:22 am
is there another method perhaps?
As Paul mentioned phpBB would have to be able to decrypt and for that to occur the key would have to be on the server making it pointless. You would have to disable all email features for that user and that would include password recovery. If you were using their password as the key the only thing it would become useful for at that point is if the user was logged in and you wanted to send a confirmation email for password change initiated through the ACP.

I did post an idea for encrypting PM's and designated user profile data but that is possible becsue the user(s) would be logged in and there is really only two or three parties that would need to be able to see it . Even that becomes fairly complicated.

viewtopic.php?f=436&t=2438626
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22958
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: Bcrypt email addresses?

Post by Mick »

I wasn’t aware porn was illegal. If they intend to video everyone who watches porn they’re gonna need a helluva server to store the evidence, idiots!

(Presumably you paid ‘em? :lol:)
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
RMcGirr83
Former Team Member
Posts: 21837
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr

Re: Bcrypt email addresses?

Post by RMcGirr83 »

Did someone say porn? :twisted:
Former Modifications/Extensions Team Member | My extensions | github | All requests for support via PM will be ignored
Appreciate the extensions/mods/support then buy me a beerImage
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22958
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: Bcrypt email addresses?

Post by Mick »

Steady on now Rich.
"The more connected we get the more alone we become" - Kyle Broflovski©
Post Reply

Return to “phpBB Discussion”