Topic: Double Hashing Passwords

I'm pretty sure this hasn't been mentioned before, but it would be a lot more secure if all the passwords were double hashed (ie.  md5(md5($password))).  That way, if a hacker got some passwords, instead of being able to do a dictionary based brute force, he would have to do a brute force for a 32 digit string.  Even if he got that, he would still have to decrypt that.  It would only require a small amount of editing to do.  The only pages that would change would be login.php register.php /include/functions.php and profile.php.  There might be others, but it would still be really easy to do.

Re: Double Hashing Passwords

well sha1 is used where avalible and if you password is a reasonable length it will take along time to bruteforce it

Re: Double Hashing Passwords

A random salt would be a lot better. I've thought about it. Maybe for 1.3. This is, I don't want to make life difficult for the converter.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

4 (edited by Dexus 2005-04-02 20:50)

Re: Double Hashing Passwords

what is "random salt"?
where can I read about it?

as for converter for doublehashed passwords:
1. add boolean field "dblhashpass" to "users" table
2. in all places using md5 - check this field, and if true - use md5(md5()).
3. when registering new user or changing password - make it "true".

well. a sort of smile

Re: Double Hashing Passwords

basically hashes a string using another string i think, so even if you bruteforced it you wouldn't get a useable password, like every punbb site having their own unique encryption

Re: Double Hashing Passwords

Here's a decent article on password hashing.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

7 (edited by Dexus 2005-04-03 14:36)

Re: Double Hashing Passwords

anyways, you must somehow update current userlist.. how? you have only md5 hashes...
and if this salt string will be stolen - it won't have any sense.

Re: Double Hashing Passwords

surely md5(md5()) just takes twice as long to bruteforce?

Re: Double Hashing Passwords

in encryption techniques, it's sometimes bad to encrypt something 2 times, as it might help the one trying to decrypt it ... same might apply for password hashing? (not sure, that's the reason for the questionmark)

so, don't take for granted that more hashes will make it more secure, unless you actually have read articles handling that this or that technique will work with multiple runs wink

10 (edited by Dexus 2005-04-03 15:07)

Re: Double Hashing Passwords

Damn. I'm confused.
How will it helps anyway? If brutforce will be through login.php - there will be no difference how to hash passwords...
also he would be able to stole salt string
and find out that md5(md5()) is used...
no sense...

Re: Double Hashing Passwords

ok the bruteforce is not done through login.php its only if someone gets access to the db somehow, and the salt string is different for every forum

12

Re: Double Hashing Passwords

well, you need to limit db activity only to http server (by firewall). after that you won't be able to access db directly.
but hackers often use php scripts holes, to execute selects from dbase.
i wonder, is there any hole in punbb, to execute custom selection, or even update and other sql commands?

Re: Double Hashing Passwords

well not that rickard knows of or it would be fixed, but there could be thats how people get into sites

14 (edited by Dexus 2005-04-03 17:26)

Re: Double Hashing Passwords

there were problems with someting like
[b ][b ][/b ] or [code ][code ][/code ]

or cascaded BBCodes..
or maybe variables entered in url string?
well, phpbb were hacked through url string (path and variables)

Re: Double Hashing Passwords

huh? i think your going slightly off topic here

Re: Double Hashing Passwords

Double hashing take far more than two times the time to brute force, because instead of being able to do a dictionary based hack, you have to find a string of letters and numbers.  If the origional passoword was forums, it would be encrypted to 68daf8bdc8755fe8f4859024b3054fb8 the first time.  That could be broken in about 5 seconds using a dictionary brute force.  But if you run 68daf8bdc8755fe8f4859024b3054fb8 through md5 again, it gives you 471b357e0fdd976f770343b94a1e012c.  The effective time it would take to brute force that would be somewhat longer than your lifetime.  Random salt hashing would work well, to, but after you get one pass, wouldn't you have the salt for all the other passwords?

Re: Double Hashing Passwords

no because to bruteforce a double hashed password you simply go through a dictionary and do md5(md5(word)) the only way it would work is if no one knew it was double hashed

18

Re: Double Hashing Passwords

Well, randomsalt algorythm also will need a sort of migration module...
And boolean field in "users" table, shows that password is randomsalt hashed, and password hash check, using that field.
And all "change password" and "register new user" have to use randomsalt hashing.
Anyways you'll be unable to "rehash" all users passwords hash codes to new ones.
So, this task could be resolved only on clear dbase OR when password migration scheme will work.

I wonder, why the password maximum length is 16?? why not 32? smile
Also, is there any "restore forgotten password" possible? I think not. So, what about it? smile

Re: Double Hashing Passwords

Also, is there any "restore forgotten password" possible? I think not. So, what about it?

huh? theres a forgotten password link to send you a new password

20

Re: Double Hashing Passwords

Connorhd wrote:

Also, is there any "restore forgotten password" possible? I think not. So, what about it?

huh? theres a forgotten password link to send you a new password

Oh I see that, but it generates a new password, not actually restores them.
Related to the topic - there must be "forced" password change to every user, to migrate on new hash generation algorythm.

Re: Double Hashing Passwords

what do you mean restores? how can it restore the password if the user has forgotten it

as for migrating to the new algorithm can't it use the same system punbb uses to migrate to SHA1

Re: Double Hashing Passwords

sfackler wrote:

Random salt hashing would work well, to, but after you get one pass, wouldn't you have the salt for all the other passwords?

Well if you check the article Rickard pointed to you find these words that descripe the essence of the random salt wink

Dictionary attacks with pre-generated lists of hashes will be useless for the same reason - the attacker will now have to recalculate their entire dictionary for every individual account they're attempting to crack.

So even though they would know the random hash it doesn't matter, you've added an N to the calculation so instead of 1 dictionary for 100 users they would need 100 dictionaries(1 dict * 100 users) for the attack and that is assuming they have access to your DB and know your random salt string.

23

Re: Double Hashing Passwords

doing a md5(md5 actually reduces security because it increases the number of collisions.  as alternatively sugested, salting the password works much better.  one method to use is md5("unique_site_code" . $member_id . $password . $username);. something like that would be much harder to brute force assuming they have DB access.

24

Re: Double Hashing Passwords

it will have a sense if this "unique_site_code" won't be stored in DB.
and $member_id in hash - will make membership unchangeble.
maybe you mean $user_id ?

Re: Double Hashing Passwords

and $member_id in hash - will make membership unchangeble.
maybe you mean $user_id ?

whats the difference between member_id and user_id?