1 (edited by Xuantia 2016-03-10 22:11)

Topic: Changing the password hash

So I was thinking of changing the password hashing system used in PunBB to using the PHP hash function and hashing passwords in Whirlpool instead of using sha1 which is horribly outdated and very easy to crack these days. I however only have a very basic understanding of PHP so was wondering if anyone here would be able to point me in the right direction.

I know that the files that would need changing are the login.php, register.php and the install.php as they all handle passwords and password hashing, however I feel if I go tinkering without some guidance I'll end up breaking something horribly.

Thanks for any helpful replies.

2 (edited by PanBB.Ru 2016-03-11 01:01)

Re: Changing the password hash

See in file functios.php:
it is generate a random key of length $len

function random_key($len, $readable = false, $hash = false)
{
    $key = '';

    $return = ($hook = get_hook('fn_random_key_start')) ? eval($hook) : null;
    if ($return != null)
        return $return;

    if ($hash)
        $key = substr(sha1(uniqid(rand(), true)), 0, $len);
    else if ($readable)
    {
        $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

        for ($i = 0; $i < $len; ++$i)
            $key .= substr($chars, (mt_rand() % strlen($chars)), 1);
    }
    else
        for ($i = 0; $i < $len; ++$i)
            $key .= chr(mt_rand(33, 126));

    ($hook = get_hook('fn_random_key_end')) ? eval($hook) : null;

    return $key;
}

&&  Generates a salted, SHA-1 hash of $str

function forum_hash($str, $salt)
{
    $return = ($hook = get_hook('fn_forum_hash_start')) ? eval($hook) : null;
    if ($return != null)
        return $return;

    return sha1($salt.sha1($str));
}

I do not remember that someone said : "My forums hacked!"

More Extensions on PunBB.INFO

Your thanks with WebMoney: Z323386029617

Re: Changing the password hash

I never said it was just because of security. Also just because you haven't had any problems with people hacking into PunBB forums doesn't mean you never will with a weak hash like that.

Anyway it isn't just because of security that I want to do it for, it's also because I wan to integrate PunBB and customize it for my own needs for a game server that uses MySQL as its information such as users and stats. I want to integrate PunBB into this system by being the forums for the gameserver as well as the user control panel for users to edit their in game characters from.

Basically PunBB would be the master account through the website and then players will be able to link their in-game accounts/create new in-game accounts thorough their master forum account.

Thanks for pointing those functions out, however changing those functions would break the login.php, reister.php, and install.php scripts where password hashing is involved?

Example:

// Login
if (isset($_POST['form_sent']) && empty($action))
{
    $form_username = forum_trim($_POST['req_username']);
    $form_password = forum_trim($_POST['req_password']);
    $save_pass = isset($_POST['save_pass']);

    ($hook = get_hook('li_login_form_submitted')) ? eval($hook) : null;

    // Get user info matching login attempt
    $query = array(
        'SELECT'    => 'u.id, u.group_id, u.password, u.salt',
        'FROM'        => 'users AS u'
    );

    if (in_array($db_type, array('mysql', 'mysqli', 'mysql_innodb', 'mysqli_innodb')))
        $query['WHERE'] = 'username=\''.$forum_db->escape($form_username).'\'';
    else
        $query['WHERE'] = 'LOWER(username)=LOWER(\''.$forum_db->escape($form_username).'\')';

    ($hook = get_hook('li_login_qr_get_login_data')) ? eval($hook) : null;
    $result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
    list($user_id, $group_id, $db_password_hash, $salt) = $forum_db->fetch_row($result);

    $authorized = false;
    if (!empty($db_password_hash))
    {
        $sha1_in_db = (strlen($db_password_hash) == 40) ? true : false;
        $form_password_hash = forum_hash($form_password, $salt);

        if ($sha1_in_db && $db_password_hash == $form_password_hash)
            $authorized = true;
        else if ((!$sha1_in_db && $db_password_hash == md5($form_password)) || ($sha1_in_db && $db_password_hash == sha1($form_password)))
        {
            $authorized = true;

            $salt = random_key(12);
            $form_password_hash = forum_hash($form_password, $salt);

            // There's an old MD5 hash or an unsalted SHA1 hash in the database, so we replace it
            // with a randomly generated salt and a new, salted SHA1 hash
            $query = array(
                'UPDATE'    => 'users',
                'SET'        => 'password=\''.$form_password_hash.'\', salt=\''.$forum_db->escape($salt).'\'',
                'WHERE'        => 'id='.$user_id
            );

            ($hook = get_hook('li_login_qr_update_user_hash')) ? eval($hook) : null;
            $forum_db->query_build($query) or error(__FILE__, __LINE__);
        }
    }

    ($hook = get_hook('li_login_pre_auth_message')) ? eval($hook) : null;

    if (!$authorized)
        $errors[] = sprintf($lang_login['Wrong user/pass']);

If I changed the hashing functions to use Whirlpool it would break the above code completely would it not? I guess with the forum_hash function I would just change the sha1 function to use PHP's hash function. But because the above code checks for md5/sha1. In my situation would it be easier to re-write the login/register/install functions that handle passwords or is there an easier way around this?

Thanks.

Re: Changing the password hash

Let us suppose. What are you going to use instead of sha1?

Still I do not know if this will affect the password recovery...

More Extensions on PunBB.INFO

Your thanks with WebMoney: Z323386029617

Re: Changing the password hash

As I said I would be using Whirlpool instead of sha1.

Re: Changing the password hash

It's good. I wonder why the developers punbb just did not use it?

Today WHIRLPOOL resistant to all types of cryptanalysis.
Over 8 years of Whirlpool has been no recorded attacks on it.

It would be interesting to know the result of the work.

Success to you! smile

More Extensions on PunBB.INFO

Your thanks with WebMoney: Z323386029617

7 (edited by Xuantia 2016-03-11 13:58)

Re: Changing the password hash

It's surprising how little to no software uses it in terms of internet forums and blogs where there are sensitive data such as passwords. I guess they deem it unnecessary but in my opinion using the best security should always be top priority to protect yourself and your site's users.

I'll have a read of the code at some point when I have time, and play with it to see if I can get it to work. I'll keep this thread updated and any help in getting this to work would be appreciated.

I know how to use the php 'hash' function

string hash ( string $algo , string $data [, bool $raw_output = false ] )

But it's implementing it into the PunBB code so that it uses all Whirlpool for its password hashing rather than sha1.

EDIT: I've managed to convert the install script, and the login script to now work with Whirlpool instead smile - I just need to do the register.php file now.

Re: Changing the password hash

hmmmm. got this same issue. good to know these things.

Re: Changing the password hash

Apologies, I have not been around these parts for a long time (busy busy). Figured I would check in, has anyone else made any headway on this. I lost all code changes I had made (should've made a repo for the changes on GitHub my bad!) so I will probably start again with it from scratch as it is still something I am very much interested in.

Re: Changing the password hash

Is whirlpool better than sha1?

Re: Changing the password hash

Faybelline wrote:

Is whirlpool better than sha1?

It's a lot more secure.

PanBB.Ru wrote:

Today WHIRLPOOL resistant to all types of cryptanalysis.
Over 8 years of Whirlpool has been no recorded attacks on it.

Re: Changing the password hash

Xuantia wrote:
Faybelline wrote:

Is whirlpool better than sha1?

It's a lot more secure.

PanBB.Ru wrote:

Today WHIRLPOOL resistant to all types of cryptanalysis.
Over 8 years of Whirlpool has been no recorded attacks on it.

Interesting, thanks for the answer:)

Re: Changing the password hash

No worries. smile

I haven't started attempting this yet, but I will keep this topic updated as I make progress... any chance I get.