Is password field in Usertable encrypted??

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Rhue
Registered User
Posts: 7
Joined: Tue Mar 20, 2007 10:01 pm

Is password field in Usertable encrypted??

Post by Rhue »

Is the pasword field in the phpbb usertable encrypted? If so where can i have a look at it? Thank you

I am trying to use one signup for both my website and forum (users sign up on my website and they can also use the forum). Just wondering if the password field is encrypted in the usertable, if not then its good but if yes i need to firgure out how the encryption/decryption works and send the data from the Site usertable to the forum usertable. Where can i find the encyrption script? I hope this is making sense to you guys.... :)
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Is password field in Usertable encrypted??

Post by david63 »

The passwords are encrypted using the MD5 one way encryption php function and the only place that they are is in the users table in the encrypted format.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
tomlevens
Registered User
Posts: 131
Joined: Mon Aug 18, 2003 8:52 pm

Re: Is password field in Usertable encrypted??

Post by tomlevens »

It's pretty easy to implement checking of a given password against the hash in the database. A MD5 hash of a string will always be the same. Therefore, you can just make a hash of the password that the user has entered, then check if it's the same as the one stored in the database. If it matches, then the password is correct. You can use the md5() function in PHP to do this make the hash.

Hope that helps!
Pezzoni
Registered User
Posts: 706
Joined: Sat Nov 16, 2002 8:25 pm

Re: Is password field in Usertable encrypted??

Post by Pezzoni »

The passwords are hashed, not encrypted. This means that it is theoretically impossible (although manageable in practice with a lot of computing power, or rainbow tables) to get the original password back. tomlevens did, however, describe how you can use said hashes for the purposes of authentication.
NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom

Re: Is password field in Usertable encrypted??

Post by NeoThermic »

Pezzoni wrote: The passwords are hashed, not encrypted. This means that it is theoretically impossible (although manageable in practice with a lot of computing power, or rainbow tables) to get the original password back.


Not quite. You get data which, when hashed, matched the input data. You can never know if the data that matches is the input data.

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
Pezzoni
Registered User
Posts: 706
Joined: Sat Nov 16, 2002 8:25 pm

Re: Is password field in Usertable encrypted??

Post by Pezzoni »

True, but finding a collision vs the original cleartext wouldn't make any difference with regards to the security of the compromised user account on phpBB, and the chances of happening across one are tiny.

Return to “phpBB Discussion”