Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : Stored Passwords

[techwebhosting]

What type of encryption, does vbulliten store its passwords in?

Is it something like MD5, or what I am confused, and I have always just wondered.


EDIT: Never Mind I have figured it out

[Xeentech]

I'd be willing to bet its MD5. I remeber it wasn't hard at all intergrating a secure login for a tool I made for a client with vbulliten so it must be something avalaible in Perl, and not many people use crypt() these days.

One way to test would be to MD5 your own password and see if it matches your db stored in the db. Remeber not to enter a carage return if you use the command line tool.

[ricocheting]

vB uses a randomly generated 3 char salt associated with each user and uses md5 on that + the password to store.

PHP Code:

$users_salt = "B]a";
$password = "secret";

$store = md5($users_salt.$password); 


using salt makes it harder for someone to simply search for a user with a md5 password stored as "5ebe2294ecd0e0f08eab7690d2a6ee69" (the md5 for "secret"). doesn't stop anyone determined, but easy thing that adds another layer to help with security.

[NyteOwl]

Most software doesn;t store the password itself, but a one-way hash value of the password. MD5 , though not secure is a likely candidate.

[Czaries]

Actually... 'salt' is added to hashed passwords in order to make them stronger passwords to prevent brute force decryption methods. Too many people use nothing but common dictionary words in their passwords, and that makes them easy to guess using programs that just check the hash against every word in the dictionary until a match is found (brute force attack). Adding salt with 3 random characters makes the password much stronger, and 99% of the time can prevent an attack like this.