MyBB Tutorials
Using bcrypt on your MyBB forum.
Submitted by cute, 06-08-2015, 01:17 PM, Thread ID: 8621
Thread Closed
RE: Using bcrypt on your MyBB forum. 18-09-2015, 06:43 PM #21 I have seen similar tutorials on this. And in all of then, you had to edit the password of the current members, which is a very big task. Is it the same with this tutorial?
18-09-2015, 06:43 PM
#21 I have seen similar tutorials on this. And in all of then, you had to edit the password of the current members, which is a very big task. Is it the same with this tutorial?
RE: Using bcrypt on your MyBB forum. 18-09-2015, 06:50 PM #22 07-08-2015, 10:13 AMNekomimi Wrote: 07-08-2015, 10:00 AMGummy Wrote: What does this thing do?
Makes MyBB use the bcrypt hashing algorithm instead of the MD5 + Salt algorithm that it uses by default.
Here's a post by one of the members of my forum explaining it after I implemented it myself:
![[Image: 2f9e27089085b23ce910c59e642ba7df.png]](https://nulledbb.com/c/0534c8ea49815fde1e0898a1cd585d54827bf1ed/687474703a2f2f692e6779617a6f2e636f6d2f32663965323730383930383562323363653931306335396536343262613764662e706e67/2f9e27089085b23ce910c59e642ba7df.png)
i'm on that forum :D
18-09-2015, 06:50 PM
#22 07-08-2015, 10:13 AMNekomimi Wrote:07-08-2015, 10:00 AMGummy Wrote: What does this thing do?
Makes MyBB use the bcrypt hashing algorithm instead of the MD5 + Salt algorithm that it uses by default.
Here's a post by one of the members of my forum explaining it after I implemented it myself:
i'm on that forum :D
RE: Using bcrypt on your MyBB forum. 18-09-2015, 04:51 PMDP_PN Wrote: 17-09-2015, 01:11 AMPulseeey Wrote: 16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
I would have thought people would be more concerned regarding their (potentially) everyday-use password being known, rather than someone being able to login to their forum account?
If I was made aware that a database was leaked, that contained my everyday password. I wouldn't give 2 fucks about the compromised website, I'd be too busy resetting all the shit that uses that password.
FYI, All of my passwords are different and complex, this is an example.
if you have different passwords everywhere that's not your concern. It would be whether or not someone can authenticate as you, without even knowing your password...
17-09-2015, 01:04 AMNekomimi Wrote: 16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
Not if you force everyone to logout in the event of a breach.
What's the point of having the password? Isn't it to authenticate? You can bypass the hassle of having to bruteforce millions of combinations by simply using the loginkey. Of course if someone finds out there was a breach, the logout can be forced. It's the same breach people would use to get the password hashes so it would still be possible to alert everyone to change password before you could even use it. A lot of people use the same password for different sites, that's right - and that's the only advantage of getting the password rather than the loginkey.
I'm either really chill, or I'm unusual. I personally wouldn't give a fuck if someone had my login key, I'd be more concerned regarding my passwords (whether they are the same for other sitesor not).
18-09-2015, 04:51 PMDP_PN Wrote:if you have different passwords everywhere that's not your concern. It would be whether or not someone can authenticate as you, without even knowing your password...17-09-2015, 01:11 AMPulseeey Wrote:16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
I would have thought people would be more concerned regarding their (potentially) everyday-use password being known, rather than someone being able to login to their forum account?
If I was made aware that a database was leaked, that contained my everyday password. I wouldn't give 2 fucks about the compromised website, I'd be too busy resetting all the shit that uses that password.
FYI, All of my passwords are different and complex, this is an example.
What's the point of having the password? Isn't it to authenticate? You can bypass the hassle of having to bruteforce millions of combinations by simply using the loginkey. Of course if someone finds out there was a breach, the logout can be forced. It's the same breach people would use to get the password hashes so it would still be possible to alert everyone to change password before you could even use it. A lot of people use the same password for different sites, that's right - and that's the only advantage of getting the password rather than the loginkey.17-09-2015, 01:04 AMNekomimi Wrote:16-09-2015, 02:06 PMDP_PN Wrote: The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.
Not if you force everyone to logout in the event of a breach.
I'm either really chill, or I'm unusual. I personally wouldn't give a fuck if someone had my login key, I'd be more concerned regarding my passwords (whether they are the same for other sitesor not).
RE: Using bcrypt on your MyBB forum. 18-09-2015, 04:51 PMDP_PN Wrote: What's the point of having the password? Isn't it to authenticate? You can bypass the hassle of having to bruteforce millions of combinations by simply using the loginkey. Of course if someone finds out there was a breach, the logout can be forced. It's the same breach people would use to get the password hashes so it would still be possible to alert everyone to change password before you could even use it. A lot of people use the same password for different sites, that's right - and that's the only advantage of getting the password rather than the loginkey.
Forcing everyone to logout renders the loginkeys useless in the event of a breach, as they would have to login and generate a new loginkey.
18-09-2015, 06:43 PMJoseahfer Wrote: I have seen similar tutorials on this. And in all of then, you had to edit the password of the current members, which is a very big task. Is it the same with this tutorial?
No, this tutorial automatically converts your passwords from md5 to bcrypt over time as people login. ![[Image: ZtDsXXv.png]](https://i.imgur.com/ZtDsXXv.png)
18-09-2015, 04:51 PMDP_PN Wrote: What's the point of having the password? Isn't it to authenticate? You can bypass the hassle of having to bruteforce millions of combinations by simply using the loginkey. Of course if someone finds out there was a breach, the logout can be forced. It's the same breach people would use to get the password hashes so it would still be possible to alert everyone to change password before you could even use it. A lot of people use the same password for different sites, that's right - and that's the only advantage of getting the password rather than the loginkey.
Forcing everyone to logout renders the loginkeys useless in the event of a breach, as they would have to login and generate a new loginkey.
18-09-2015, 06:43 PMJoseahfer Wrote: I have seen similar tutorials on this. And in all of then, you had to edit the password of the current members, which is a very big task. Is it the same with this tutorial?
No, this tutorial automatically converts your passwords from md5 to bcrypt over time as people login.
RE: Using bcrypt on your MyBB forum. 19-09-2015, 11:48 AM #25 19-09-2015, 03:43 AMNekomimi Wrote: No, this tutorial automatically converts your passwords from md5 to bcrypt over time as people login.
Thanks for your answer, then I will be very useful. Now I look at it. (:
19-09-2015, 11:48 AM
#25 19-09-2015, 03:43 AMNekomimi Wrote: No, this tutorial automatically converts your passwords from md5 to bcrypt over time as people login.
Thanks for your answer, then I will be very useful. Now I look at it. (:
RE: Using bcrypt on your MyBB forum. 25-09-2015, 04:34 PM #26 No idea what bcrypt is but would like to see still.
25-09-2015, 04:34 PM
#26 No idea what bcrypt is but would like to see still.
RE: Using bcrypt on your MyBB forum. 08-02-2016, 09:42 PM #27 This looks really usefull i will check this out later. Sorry for bumping old thread
08-02-2016, 09:42 PM
#27 This looks really usefull i will check this out later. Sorry for bumping old thread
RE: Using bcrypt on your MyBB forum. 08-02-2016, 09:46 PM #28 07-08-2015, 03:10 AMTropical Wrote: Akay almost fucked up RF doing this lol :noh:
Are you Dad or Predatard? Just wondering (I'm pancuck :noh
08-02-2016, 09:46 PM
#28 07-08-2015, 03:10 AMTropical Wrote: Akay almost fucked up RF doing this lol :noh:
Are you Dad or Predatard? Just wondering (I'm pancuck :noh