MyBB Tutorials

Using bcrypt on your MyBB forum.

Submitted by cute, , Thread ID: 8621

Thread Closed

RE: Using bcrypt on your MyBB forum.

#11
07-08-2015, 08:09 AM
Aoki Wrote:
07-08-2015, 03:10 AM
Tropical Wrote:
Akay almost fucked up RF doing this lol :noh:

And who cares?

I will shut up about it.
Didn't mean to disturb you.

RE: Using bcrypt on your MyBB forum.

#12
What could happen to your forum if something were to mess up during the installation?

RE: Using bcrypt on your MyBB forum.

#13
Why did you remove the support for salts?
Do not let your difficulties fill you with anxiety, after all it is only in the darkest nights that stars shine more brightly. - Ali(a.s)

Developer( PHP, Python, C++, HTML+CSS, JS I am available for Hire. Message Me for details.

RE: Using bcrypt on your MyBB forum.

OP
This post was last modified: 08-08-2015, 04:31 AM by cute
#14
07-08-2015, 02:54 PM
Lukas Wrote:
What could happen to your forum if something were to mess up during the installation?
Nothing, if you're smart and take a backup beforehand. Or even better, do like I said and do it on a development copy of your forum.

07-08-2015, 04:16 PM
Sozin Wrote:
Why did you remove the support for salts?

bcrypt has random salts built into it by default.

Sure you could also have the MyBB salt, but it's really not needed.
[Image: ZtDsXXv.png]

RE: Using bcrypt on your MyBB forum.

#15
Yep until Mybb 2.0 is released, people should explicitly use bcrypt.

RE: Using bcrypt on your MyBB forum.

#16
I'm all up for improving the security and privacy of my own MyBB forum. I'm hoping to see this tutorial when I'm eligible enough.

RE: Using bcrypt on your MyBB forum.

#17
The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.

RE: Using bcrypt on your MyBB forum.

OP
This post was last modified: 17-09-2015, 01:04 AM by cute
#18
16-09-2015, 02:06 PM
DP_PN Wrote:
The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.

Not if you force everyone to logout in the event of a breach.
[Image: ZtDsXXv.png]

RE: Using bcrypt on your MyBB forum.

#19
16-09-2015, 02:06 PM
DP_PN Wrote:
The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.

I would have thought people would be more concerned regarding their (potentially) everyday-use password being known, rather than someone being able to login to their forum account?

If I was made aware that a database was leaked, that contained my everyday password. I wouldn't give 2 fucks about the compromised website, I'd be too busy resetting all the shit that uses that password.

FYI, All of my passwords are different and complex, this is an example.

RE: Using bcrypt on your MyBB forum.

#20
17-09-2015, 01:11 AM
Pulseeey Wrote:
16-09-2015, 02:06 PM
DP_PN Wrote:
The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.

I would have thought people would be more concerned regarding their (potentially) everyday-use password being known, rather than someone being able to login to their forum account?

If I was made aware that a database was leaked, that contained my everyday password. I wouldn't give 2 fucks about the compromised website, I'd be too busy resetting all the shit that uses that password.

FYI, All of my passwords are different and complex, this is an example.
if you have different passwords everywhere that's not your concern. It would be whether or not someone can authenticate as you, without even knowing your password...

17-09-2015, 01:04 AM
Nekomimi Wrote:
16-09-2015, 02:06 PM
DP_PN Wrote:
The weakness of the password storage method is irrelevant to be honest with you. If you have the hash, that you took from the database, you also have the loginkey. With the loginkey, you can instantly start a session for any user, without using a password.

Not if you force everyone to logout in the event of a breach.
What's the point of having the password? Isn't it to authenticate? You can bypass the hassle of having to bruteforce millions of combinations by simply using the loginkey. Of course if someone finds out there was a breach, the logout can be forced. It's the same breach people would use to get the password hashes so it would still be possible to alert everyone to change password before you could even use it. A lot of people use the same password for different sites, that's right - and that's the only advantage of getting the password rather than the loginkey.

Users browsing this thread: 3 Guest(s)