Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 8736
  • (◕‿◕✿)
    • View Profile
    • The Flat Earth Society
Fixing the forum's password hashing
« on: February 02, 2019, 01:10:36 PM »
Hi all,

This post is mostly here to serve as a slightly more detailed explanation for an Announcement I'll be writing momentarily, but I guess there's an off chance one or two of you will find it interesting. In short, I'm here to explain why we should care about password security on TFES (and everywhere else), and what steps we took to make this place a little bit more secure.

As some of you may have heard, a very large database (commonly referred to as Collection #1 or Collection 1) of email addresses and associated password hashes from all over the Internet has recently been leaked on several hacker forums. It's not an entirely uncommon occurrence, but the magnitude and scope of this particular collection makes it notable. Rumour has it that more leaks are to follow. Troy Hunt, the guy behind Have I Been Pwned, has covered this in quite some detail here.

Password hashes are what most reasonable websites will store in their database to allow users to log in. It's not the user's actual password, but rather the result of passing the password through a mathematical function that's very difficult to reverse. If you hash the same password in the same ways on two occasions, you should receive the same output. The benefits of that approach are numerous, but most importantly:
  • The website (and its owners) don't know what your password actually is (this is also why you generally can't get a password reminder online - merely a password reset).
  • If the website gets hacked and the attacker steals the database, they don't get a list of passwords, but rather something that should be much more difficult to handle.


As computers become better and faster, figuring out hashes of common passwords becomes easier. For example, a function called MD5 was once the standard for password storage, but is nowadays considered very insecure, because (among other reasons), you can simply keep generating MD5 hashes of potential passwords until you find the one that matches, and you can do so quickly. In essence, it's an arms race - computers become faster, so we need mathematical functions that take longer to compute.

So where does TFES fit in all this?

The forum software we're using, SMF, is currently using SHA1 hashing of passwords (with a sloppy attempt at salting). It's a dated function that's not been recommended for quite some time, and it doesn't look like SMF are currently thinking about transitioning to anything else. If our database was accessed by an attacker, some of our users' passwords could be easy pickings.

Big deal. What are they gonna do, log in to TFES and write a mean post?

It's important to remember that some (Many. You know who you are.) people use the same password on multiple services. That's what attackers are usually after. Find a place that's easy to attack, figure out people's passwords from there, and then try those same passwords elsewhere. We don't ever want to be the first stage of such an attack, so we're taking the possibility seriously.

Okay, Pete, I am convinced by your vast knowledge. So what are you doing about this problem?

We rewrote most of SMF's password hashing to use the current PHP default - bcrypt. Furthermore, we altered the code so that if the current standards change in the future, your password will be rehashed on first login, keeping the arms race going without anyone lifting a finger. As always, you can review the changes yourself on our GitHub repo.

So, what do I need to do?

Log out and log in. Or change your password. Either of these actions will purge your old password hash and replace it with a newer, better, sexier one.

Well, that's it for now! If you have any questions, technical or not, feel free to give me a shout.
Read the FAQ before asking your question - chances are we've already addressed it.
Follow the Flat Earth Society on Facebook and Twitter!

*mic stays stationary and earth accelerates upwards towards it*

Re: Fixing the forum's password hashing
« Reply #1 on: February 02, 2019, 09:51:23 PM »
I have the new sexy one. I don't feel any sexier. This is a scam.
Rate this post.      👍 6     👎 1

Re: Fixing the forum's password hashing
« Reply #2 on: February 02, 2019, 10:17:42 PM »
Try telling women "I practice safe hashing."


Offline TheLordBarst

  • *
  • Posts: 706
  • Pls no ban
    • View Profile
Re: Fixing the forum's password hashing
« Reply #3 on: February 04, 2019, 04:11:49 PM »
Thanks for making me sexier, Pete! :-*