Bad MD5 password hash practice

I have some experience in phpBB and Wordpress integration and modification, done it for a few years professionally. Therefore, I know something about hacks and data protection.

Today I was moving users from MivaMerchant database to CS-Cart and I found something I don’t agree with based on my experience with phpBB.

I do not agree with vanilla MD5 password encoding.

As you know, phpBB is the most popular free and open source forum. There are countless boards all across the internet based on their package. With popularity comes notoriety, that is script kiddies and hacks.

Most hacks for phpBB are after the user database records. Before last version 3 the phpBB was lax on its security for user passwords. They also encoded it with simple MD5() hash.

While it might seem that hash is secure… it is not. In fact, the popularity of using what CS-Cart does to passwords is a VERY POPULAR method, also very notorious.

There are pre-calculated hash libraries that will give you the TEXT of the password based on MD5 hash. That is right, for a few years script kiddies were able to grab through some security holes user info and restore passwords. There are forums for phpBB where hackers help other hackers break MD5 hashes. There are tools and libraries for this and they work very well.

Human nature is predictable and there is a good percentage of users who use the same password for their email or paypal account (or other popular sites like Facebook and etc).

Once a hacker has access to your email account he can reset passwords pretty much for any account that is associated with that email.

The phpBB version 3 now has a LONG multistage “salt” to make MD5 hash harder to break.



this is secure.

MD5 with a LONG string is much, much harder to break and something like 100 chars plus is not feasible.

My point is, user password hash should be salted with a long string that is different for every store and random enough.

At least if the store is hacked (or an employee leaks, steals the info), the customers are more protected.

And the code modification is so simple…

Nice post. A++

I agree with this, its very simple add into cs-cart.

[quote name=‘indy0077’]Nice post. A++[/quote]

[quote name=‘jynxy’]I agree with this, its very simple add into cs-cart.[/quote]

But… I love my rainbow tables!

Sure salting would work, I suggest having the ability to change the salt from time to time however.

I thought they used our custom encryption key that we entered during installation to salt passwords and sensitive data. I never did look at the encryption for the passwords but I think I’ll go look it over now.

Since we will be performing Joomla Virtuemart to CS-Cart migrations, I was wondering if you know what code in CS-Cart would need to be modified to add password salting??

This way we could modify a few lines of code, copy the users over from Joomla so that users can login and see previous orders.

Maybe this should be added to the UserVoice thingy. I would vote for it.