miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
Suggestions miniBB Support Forums / Suggestions /  
 

MD5 a bit dated

 
Author AdamP
Partaker
#1 | Posted: 10 Feb 2014 09:52 
Hello
I really like this product!
But I have a concern about md5(). The hashing algorithm is a bit dated now.
I'm not an expert but I have read up on this pretty extensively.
It has a number of vulnerabilities and in many cases is not a great deal better than just storing passwords plain text. If someone does manage to get a hold of the list they could break it really quickly with modern hardware.

Just search SHA1/MD5/MD4 bruteforcer for ATI and nVidia GPUs for a bruteforcer (can't post link)
It found "roger15" in 16 seconds.
They wouldn't even need to run it separately for each password as there is no salt. It could be run once for the whole table. Simple passwords would be broken in a few seconds while more complex passwords might take a number of minutes or even hours.

And that is just for brute forcing, keep in mind that md5 is such a common algorithm that there are lists of md5 hashes (even with common salts).

Not to mention that md5 is vulnerable to collisions.

I realize that forums aren't a high value target, the worst that could happen is a few posts. But the real problem isn't the forums. If the password is broken and is associated with an email address and reused elsewhere on the internet what then? In practice users like to use the same password for everything. That means they could very likely get access to the email, facebook, online banking, and God knows what else.

And then the best defense we are left with is "you shouldn't use the same password for everything".

Something as simple as using PHP 5.3 crypt() with blowfish or (more recent PHP 5.5) bcrypt() might very well save a lot people a lot of trouble.

I mention this because I really like the product and I'd like to see it improved.

Adam

Author Paul
Lead Developer 
#2 | Posted: 10 Feb 2014 13:27 
Thanks for your suggestion. MiniBB has a basic method of password encryption, and you can change it easily, modifying bb_cookie.php, where it is possible to change md5 hashing to whatever algorithm. It is just one line of code to change and everyone is free to improve this with a personal method.

Actually, the most important about our product is not collecting memberships, but anonymous posting. We can make a large discussion on security, since I am not novice on this subject, too, but whatever we need to start from, is that everything could be broken, hacked or stolen whatever algorithm you use. Then why to take care on it if we could just concentrate on the content itself.

As about this:

But the real problem isn't the forums. If the password is broken and is associated with an email address and reused elsewhere on the internet what then? In practice users like to use the same password for everything. That means they could very likely get access to the email, facebook, online banking, and God knows what else.
Sorry, it is not the question to our development. I am considering it stupid to take care about users who do not care about their own security. We cannot be responsible for them in any term. It is the same like if the car crash happens on the road because of the bad weather conditions or if the driver has passed an important sign; I think the car producing company would laugh if the victim would come to them, and claim their car was guilty, while the car has just 4 wheels and guilty may be only a driving person.

Author Dransil
Partaker
#3 | Posted: 17 Mar 2014 02:14 
I do support the idea of MD5 being replaced in favor of something much newer and stronger.
I believe it will simply reduce the forum software and it's server as being a target for attacks to obtain the database.

Author Paul
Lead Developer 
#4 | Posted: 18 Mar 2014 22:33 
All I could say about md5, security is not around just this algorithm. For knowing md5 hash, someone should steal the cookie itself, or direct mysql data. If the cookie or DB could be stolen, it is not about md5 security. Whatever algorithm you would use, if it could be replicated via cookie, its difficulty doesn't matter. Also, sometimes the switch to https helps a lot, it means data like cookies can not be stolen easily via network, so you could be safe on it for a while.

All my major customers run thousands members forums on md5 and all security issues we were having by now, were mostly about scripts security or outdated scripts and not md5. The first thing about MD5 is it could be brute-forced, but for this, you would need to know the hash of the cookie. And if you would know the hash, how it could be related to MD5, in general? It could be related only to some other point of security. It could mean, for example, someone got access to your PC and copied all of your cookies.

So how MD5 is related to that?..

Suggestions miniBB Support Forums / Suggestions /
 MD5 a bit dated
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Try the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑