Changing the password hash

I never said it was just because of security. Also just because you haven't had any problems with people hacking into PunBB forums doesn't mean you never will with a weak hash like that.

Anyway it isn't just because of security that I want to do it for, it's also because I wan to integrate PunBB and customize it for my own needs for a game server that uses MySQL as its information such as users and stats. I want to integrate PunBB into this system by being the forums for the gameserver as well as the user control panel for users to edit their in game characters from.

Basically PunBB would be the master account through the website and then players will be able to link their in-game accounts/create new in-game accounts thorough their master forum account.

Thanks for pointing those functions out, however changing those functions would break the login.php, reister.php, and install.php scripts where password hashing is involved?

Example:

// Login
if (isset($_POST['form_sent']) && empty($action))
{
    $form_username = forum_trim($_POST['req_username']);
    $form_password = forum_trim($_POST['req_password']);
    $save_pass = isset($_POST['save_pass']);

    ($hook = get_hook('li_login_form_submitted')) ? eval($hook) : null;

    // Get user info matching login attempt
    $query = array(
        'SELECT'    => 'u.id, u.group_id, u.password, u.salt',
        'FROM'        => 'users AS u'
    );

    if (in_array($db_type, array('mysql', 'mysqli', 'mysql_innodb', 'mysqli_innodb')))
        $query['WHERE'] = 'username=\''.$forum_db->escape($form_username).'\'';
    else
        $query['WHERE'] = 'LOWER(username)=LOWER(\''.$forum_db->escape($form_username).'\')';

    ($hook = get_hook('li_login_qr_get_login_data')) ? eval($hook) : null;
    $result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
    list($user_id, $group_id, $db_password_hash, $salt) = $forum_db->fetch_row($result);

    $authorized = false;
    if (!empty($db_password_hash))
    {
        $sha1_in_db = (strlen($db_password_hash) == 40) ? true : false;
        $form_password_hash = forum_hash($form_password, $salt);

        if ($sha1_in_db && $db_password_hash == $form_password_hash)
            $authorized = true;
        else if ((!$sha1_in_db && $db_password_hash == md5($form_password)) || ($sha1_in_db && $db_password_hash == sha1($form_password)))
        {
            $authorized = true;

            $salt = random_key(12);
            $form_password_hash = forum_hash($form_password, $salt);

            // There's an old MD5 hash or an unsalted SHA1 hash in the database, so we replace it
            // with a randomly generated salt and a new, salted SHA1 hash
            $query = array(
                'UPDATE'    => 'users',
                'SET'        => 'password=\''.$form_password_hash.'\', salt=\''.$forum_db->escape($salt).'\'',
                'WHERE'        => 'id='.$user_id
            );

            ($hook = get_hook('li_login_qr_update_user_hash')) ? eval($hook) : null;
            $forum_db->query_build($query) or error(__FILE__, __LINE__);
        }
    }

    ($hook = get_hook('li_login_pre_auth_message')) ? eval($hook) : null;

    if (!$authorized)
        $errors[] = sprintf($lang_login['Wrong user/pass']);

If I changed the hashing functions to use Whirlpool it would break the above code completely would it not? I guess with the forum_hash function I would just change the sha1 function to use PHP's hash function. But because the above code checks for md5/sha1. In my situation would it be easier to re-write the login/register/install functions that handle passwords or is there an easier way around this?

Thanks.

As I said I would be using Whirlpool instead of sha1.

It's surprising how little to no software uses it in terms of internet forums and blogs where there are sensitive data such as passwords. I guess they deem it unnecessary but in my opinion using the best security should always be top priority to protect yourself and your site's users.

I'll have a read of the code at some point when I have time, and play with it to see if I can get it to work. I'll keep this thread updated and any help in getting this to work would be appreciated.

I know how to use the php 'hash' function

string hash ( string $algo , string $data [, bool $raw_output = false ] )

But it's implementing it into the PunBB code so that it uses all Whirlpool for its password hashing rather than sha1.

EDIT: I've managed to convert the install script, and the login script to now work with Whirlpool instead - I just need to do the register.php file now.

Apologies, I have not been around these parts for a long time (busy busy). Figured I would check in, has anyone else made any headway on this. I lost all code changes I had made (should've made a repo for the changes on GitHub my bad!) so I will probably start again with it from scratch as it is still something I am very much interested in.

It's a lot more secure.