Using bcrypt on your MyBB forum.

17-09-2015, 01:11 AM

Pulseeey Wrote:

16-09-2015, 02:06 PM

DP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.

I would have thought people would be more concerned regarding their (potentially) everyday-use password being known, rather than someone being able to login to their forum account?

If I was made aware that a database was leaked, that contained my everyday password. I wouldn't give 2 fucks about the compromised website, I'd be too busy resetting all the shit that uses that password.

FYI, All of my passwords are different and complex, this is an example.

if you have different passwords everywhere that's not your concern. It would be whether or not someone can authenticate as you, without even knowing your password...

17-09-2015, 01:04 AM

Nekomimi Wrote:

16-09-2015, 02:06 PM

DP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.

Not if you force everyone to logout in the event of a breach.

What's the point of having the password? Isn't it to authenticate? You can bypass the hassle of having to bruteforce millions of combinations by simply using the loginkey. Of course if someone finds out there was a breach, the logout can be forced. It's the same breach people would use to get the password hashes so it would still be possible to alert everyone to change password before you could even use it. A lot of people use the same password for different sites, that's right - and that's the only advantage of getting the password rather than the loginkey.