07-08-2015, 08:09 AMAoki Wrote:07-08-2015, 03:10 AMTropical Wrote: Akay almost fucked up RF doing this lol :noh:
And who cares?
I will shut up about it.
Didn't mean to disturb you.
MyBB Tutorials
Using bcrypt on your MyBB forum.
Submitted by cute, 06-08-2015, 01:17 PM, Thread ID: 8621
Thread Closed
RE: Using bcrypt on your MyBB forum. 07-08-2015, 02:16 PM #11
I will shut up about it.
Didn't mean to disturb you.
07-08-2015, 02:16 PM
#11 I will shut up about it.
Didn't mean to disturb you.
RE: Using bcrypt on your MyBB forum. 07-08-2015, 02:54 PM #12 What could happen to your forum if something were to mess up during the installation?
07-08-2015, 02:54 PM
#12 What could happen to your forum if something were to mess up during the installation?
RE: Using bcrypt on your MyBB forum. 07-08-2015, 04:16 PM #13 Why did you remove the support for salts? Do not let your difficulties fill you with anxiety, after all it is only in the darkest nights that stars shine more brightly. - Ali(a.s)
Developer( PHP, Python, C++, HTML+CSS, JS I am available for Hire. Message Me for details.
07-08-2015, 04:16 PM
#13 Why did you remove the support for salts?
Do not let your difficulties fill you with anxiety, after all it is only in the darkest nights that stars shine more brightly. - Ali(a.s)
Developer( PHP, Python, C++, HTML+CSS, JS I am available for Hire. Message Me for details.
Developer( PHP, Python, C++, HTML+CSS, JS I am available for Hire. Message Me for details.
RE: Using bcrypt on your MyBB forum. 07-08-2015, 02:54 PMLukas Wrote: What could happen to your forum if something were to mess up during the installation?
Nothing, if you're smart and take a backup beforehand. Or even better, do like I said and do it on a development copy of your forum.
07-08-2015, 04:16 PMSozin Wrote: Why did you remove the support for salts?
bcrypt has random salts built into it by default.
Sure you could also have the MyBB salt, but it's really not needed. ![[Image: ZtDsXXv.png]](https://i.imgur.com/ZtDsXXv.png)
Nothing, if you're smart and take a backup beforehand. Or even better, do like I said and do it on a development copy of your forum.07-08-2015, 02:54 PMLukas Wrote: What could happen to your forum if something were to mess up during the installation?
07-08-2015, 04:16 PMSozin Wrote: Why did you remove the support for salts?
bcrypt has random salts built into it by default.
Sure you could also have the MyBB salt, but it's really not needed.
RE: Using bcrypt on your MyBB forum. 28-08-2015, 08:51 PM #15 Yep until Mybb 2.0 is released, people should explicitly use bcrypt.
28-08-2015, 08:51 PM
#15 Yep until Mybb 2.0 is released, people should explicitly use bcrypt.
RE: Using bcrypt on your MyBB forum. 05-09-2015, 03:33 PM #16 I'm all up for improving the security and privacy of my own MyBB forum. I'm hoping to see this tutorial when I'm eligible enough.
05-09-2015, 03:33 PM
#16 I'm all up for improving the security and privacy of my own MyBB forum. I'm hoping to see this tutorial when I'm eligible enough.
RE: Using bcrypt on your MyBB forum. 16-09-2015, 02:06 PM #17 The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
16-09-2015, 02:06 PM
#17 The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
RE: Using bcrypt on your MyBB forum. 16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
Not if you force everyone to logout in the event of a breach.
16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
Not if you force everyone to logout in the event of a breach.
RE: Using bcrypt on your MyBB forum. 16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
I would have thought people would be more concerned regarding their (potentially) everyday-use password being known, rather than someone being able to login to their forum account?
If I was made aware that a database was leaked, that contained my everyday password. I wouldn't give 2 fucks about the compromised website, I'd be too busy resetting all the shit that uses that password.
FYI, All of my passwords are different and complex, this is an example.
16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
I would have thought people would be more concerned regarding their (potentially) everyday-use password being known, rather than someone being able to login to their forum account?
If I was made aware that a database was leaked, that contained my everyday password. I wouldn't give 2 fucks about the compromised website, I'd be too busy resetting all the shit that uses that password.
FYI, All of my passwords are different and complex, this is an example.
RE: Using bcrypt on your MyBB forum. 18-09-2015, 04:51 PM #20 17-09-2015, 01:11 AMPulseeey Wrote: 16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
I would have thought people would be more concerned regarding their (potentially) everyday-use password being known, rather than someone being able to login to their forum account?
If I was made aware that a database was leaked, that contained my everyday password. I wouldn't give 2 fucks about the compromised website, I'd be too busy resetting all the shit that uses that password.
FYI, All of my passwords are different and complex, this is an example.
if you have different passwords everywhere that's not your concern. It would be whether or not someone can authenticate as you, without even knowing your password...
17-09-2015, 01:04 AMNekomimi Wrote: 16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
Not if you force everyone to logout in the event of a breach.
What's the point of having the password? Isn't it to authenticate? You can bypass the hassle of having to bruteforce millions of combinations by simply using the loginkey. Of course if someone finds out there was a breach, the logout can be forced. It's the same breach people would use to get the password hashes so it would still be possible to alert everyone to change password before you could even use it. A lot of people use the same password for different sites, that's right - and that's the only advantage of getting the password rather than the loginkey.
18-09-2015, 04:51 PM
#20 if you have different passwords everywhere that's not your concern. It would be whether or not someone can authenticate as you, without even knowing your password...17-09-2015, 01:11 AMPulseeey Wrote:16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
I would have thought people would be more concerned regarding their (potentially) everyday-use password being known, rather than someone being able to login to their forum account?
If I was made aware that a database was leaked, that contained my everyday password. I wouldn't give 2 fucks about the compromised website, I'd be too busy resetting all the shit that uses that password.
FYI, All of my passwords are different and complex, this is an example.
What's the point of having the password? Isn't it to authenticate? You can bypass the hassle of having to bruteforce millions of combinations by simply using the loginkey. Of course if someone finds out there was a breach, the logout can be forced. It's the same breach people would use to get the password hashes so it would still be possible to alert everyone to change password before you could even use it. A lot of people use the same password for different sites, that's right - and that's the only advantage of getting the password rather than the loginkey.17-09-2015, 01:04 AMNekomimi Wrote:16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
Not if you force everyone to logout in the event of a breach.