Too quiet!

The Sandman

Administrator
Joined
Jan 1, 2004
Messages
29,140
This Forum is too quiet! No questions, comments, or concerns regarding security for us to discuss? Does anyone who understands the terms "salt" and "hash" want to give us a quick lesson in the password security measures built in to vBulletin 3?
 

floris

Habitué
Joined
Jan 17, 2004
Messages
1,342
I am sorry :)

My real life changed quite a bit and I have to focus on a project now. When I have time (like now) I will come and post.
 

Kathy

Tazmanian Veteran
Joined
Jan 1, 2004
Messages
9,030
:yup:

Well....what do I know about salt and mash?

I put salt on my potatoes that I mash.

Does that work?

Ohhhh....you mean hash.......<gulp> I dunno. :bonk:

Can you tell I don't do the security on my server/site? I leave that to the experts....
 

jilly

Fan
Joined
Jan 14, 2004
Messages
929
what are they?

never heard of salt or hash either - except for hash marks - aren't they //// = those things?
 

Wayne Luke

Tazmanian
Joined
Jan 6, 2004
Messages
5,791
A hash mark is '#' but that isn't related.

A hash is a representation of the data. In the case of Bulletin Boards, it is a representation of the password. The resulting hash does not contain the original data and therefore it is not encryption nor is it possible to decipher what the original data was. In the case of vBulletin, they use an algorithm called MD5 to create these hashes. Regardless of the original length of the data MD5 will return a 32 character hash. It doesn't matter if the data contains a 10 character password or is a 15 megabyte file, the hash will be 32 characters long. Let's look at some examples:
The above paragraphs hash is 305bcab389533741897343b215874626.
apple = 1f3870be274f6c49b3e31a0c6728957f
banana = 72b302bf297a228a75730123efef7c41

The only way to break a MD5 hash is by a sequential dictionary brute force attack. Unfortunately, this is not like a normal dictionary attack. It will go sequentially through all printable characters in the ANSI character set making up "words" from 1 to about 60 characters in length. This however takes a long time because there 3.1217485503159922313815972297932e+144 possibilities in a 60 character passphrase. And yes, that is a really large number.

The hash mechanism always returns the same results when fed with the same data. For this reason, you can compare hashes with known results and get the password as well. Doing a binary bubble sort is a lot faster than a brute force attack and is also a preferred method of many crackers. In order to get around this, most system will double hash the data to make it less recognizable. In other words they hash the hash. However whatever the board system can do, the crackers can do as well. In order to make the hash truly unique you have to add random data before hashing. This is where the salt comes in.

The salt is a random string of information introduced at the point of hashing data. In vBulletin, this is used to increase the chances that using the same password across multiple forums will result in different hashes. I say "increases" instead of guarantee because it is theoretically possible to have the same salt on two systems. Not likely but possible. By introducing a salt there is a seeming randomness to the resulting hashes that will foil most sequential dictionary attacks. In fact the way vBulletin does it would make these kinds of attacks virtually impossible unless the perpetrator already had access to the database. vBulletin still does double hashing but with a twist...

It hashes the password then adds the salt and hashes that result. Of course there are ways to increase password security on community forums. These range from enforcing password protocols to introducing a system level passphrase based salt and double salting the password before hashing it. If you have a new system you could also change the hashing methodology and use something like SHA1 which produces a longer hash over MD5.
 
  • Thread starter
  • Admin
  • #6

The Sandman

Administrator
Joined
Jan 1, 2004
Messages
29,140
Ahh... I'll probably re-read it once or twice but it is starting to make sense to me. Thanks Wayne. It seems to me that most security breeches must occur due to someone knowing someone else's password, having database access, use of very poorly chosen passwords, or stuff like that. Actually hacking a proper password sounds like a lot of work...
 
Top