The Flat Earth Society

Other Discussion Boards => Technology & Information => Topic started by: Pete Svarrior on February 02, 2019, 01:10:36 PM

Title: Fixing the forum's password hashing
Post by: Pete Svarrior on February 02, 2019, 01:10:36 PM
Hi all,

This post is mostly here to serve as a slightly more detailed explanation for an Announcement I'll be writing momentarily, but I guess there's an off chance one or two of you will find it interesting. In short, I'm here to explain why we should care about password security on TFES (and everywhere else), and what steps we took to make this place a little bit more secure.

As some of you may have heard, a very large database (commonly referred to as Collection #1 or Collection 1) of email addresses and associated password hashes from all over the Internet has recently been leaked on several hacker forums. It's not an entirely uncommon occurrence, but the magnitude and scope of this particular collection makes it notable. Rumour has it that more leaks are to follow. Troy Hunt, the guy behind Have I Been Pwned (https://haveibeenpwned.com/), has covered this in quite some detail here (https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/).

Password hashes are what most reasonable websites will store in their database to allow users to log in. It's not the user's actual password, but rather the result of passing the password through a mathematical function that's very difficult to reverse. If you hash the same password in the same ways on two occasions, you should receive the same output. The benefits of that approach are numerous, but most importantly:

Should.

As computers become better and faster, figuring out hashes of common passwords becomes easier. For example, a function called MD5 (https://en.wikipedia.org/wiki/MD5) was once the standard for password storage, but is nowadays considered very insecure, because (among other reasons), you can simply keep generating MD5 hashes of potential passwords until you find the one that matches, and you can do so quickly. In essence, it's an arms race - computers become faster, so we need mathematical functions that take longer to compute.

So where does TFES fit in all this?

The forum software we're using, SMF, is currently using SHA1 (https://en.wikipedia.org/wiki/SHA-1) hashing of passwords (with a sloppy attempt at salting (https://en.wikipedia.org/wiki/Salt_(cryptography))). It's a dated function that's not been recommended for quite some time, and it doesn't look like SMF are currently thinking about transitioning to anything else. If our database was accessed by an attacker, some of our users' passwords could be easy pickings.

Big deal. What are they gonna do, log in to TFES and write a mean post?

It's important to remember that some (Many. You know who you are.) people use the same password on multiple services. That's what attackers are usually after. Find a place that's easy to attack, figure out people's passwords from there, and then try those same passwords elsewhere. We don't ever want to be the first stage of such an attack, so we're taking the possibility seriously.

Okay, Pete, I am convinced by your vast knowledge. So what are you doing about this problem?

We rewrote most of SMF's password hashing to use the current PHP default - bcrypt (https://en.wikipedia.org/wiki/Bcrypt). Furthermore, we altered the code so that if the current standards change in the future, your password will be rehashed on first login, keeping the arms race going without anyone lifting a finger. As always, you can review the changes yourself on our GitHub repo (https://github.com/TheFlatEarthSociety/forum.tfes.org/pull/1).

So, what do I need to do?

Log out and log in. Or change your password. Either of these actions will purge your old password hash and replace it with a newer, better, sexier one.

Well, that's it for now! If you have any questions, technical or not, feel free to give me a shout.
Title: Re: Fixing the forum's password hashing
Post by: Dr David Thork on February 02, 2019, 09:51:23 PM
I have the new sexy one. I don't feel any sexier. This is a scam.
Title: Re: Fixing the forum's password hashing
Post by: Lord Dave on February 02, 2019, 10:17:42 PM
Try telling women "I practice safe hashing."
Title: Re: Fixing the forum's password hashing
Post by: Cain on February 04, 2019, 04:11:49 PM
Thanks for making me sexier, Pete! :-*
Title: Re: Fixing the forum's password hashing
Post by: Mcmanama on May 28, 2019, 08:25:35 AM
Thanks for this.... ;D