Forum - View topic
Bad password security for users (unsalted MD5 hashes)

Anime News Network Forum Index -> Site-related -> Bugs & Technical Questions
View previous topic :: View next topic  
Author Message

Joined: 03 Feb 2009
Posts: 114

PostPosted: Thu May 29, 2014 3:30 am Reply with quote
So I went to my "Forum settings" and saw a "Check password strength" link. Out of curiosity, I pressed it, and was met with the following message:

"If Google has results for [unsalted MD5 hash] it means your password is not secure."

...Which would indicate that ANN has passwords stored as unsalted MD5 hashes in its user database. This is ridiculously insecure! Some relevant reading:​2012/​06/​our-​password-​hashing-​has-​no-​clothes.​html And this is with salted SHA-1 hashes - unsalted MD5 hashes even worse! It's not much above storing the passwords in plain text.

ANN should really be using some actual key derivation functions instead, like PBKDF2 or bcrypt or scrypt.

For all the users of this forum, if you use same password on ANN as you do on other sides, I recommend changing your password immediately. If someone got their hands on ANN's user database (which is an unfortunately common incident these days), your password could be discovered with little to no effort whatsoever.
Back to top
View user's profile Send private message
Chief Encyclopedist

Joined: 02 Jan 2002
Posts: 3401
Location: Montreal

PostPosted: Fri May 30, 2014 5:58 pm Reply with quote
Until recently passwords were stored as unsalted MD5 hashes, simply because that's how phpBB2 operates. Yes, I know, horrible. Of course if your password is highly secure (like 50 random characters that only your password manager can remember) then even with unsalted MD5 you have nothing to worry about, but few people have such passwords.

Thankfully since ANN 5.0 the passwords are hashed with bcrypt, which is as safe as it gets. I even downloaded a big rainbow table, "cracked" the vulnerable passwords and re-hashed them with bcrypt.

Except that... during the ANN 5.0 beta, there was a need for the two systems to be compatible, so if you changed your password with the new system, it also updated the old phpbb user table with the MD5 hash of the password. And I forgot to remove that temporary code once the beta was over. So thank you Daizo for catching that. I've fixed the situation, and removed the now redundant MD5 hashes from the DB.

That being said, I find that searching for the MD5 hash of the password on Google is still a good way to find if you're using a common password or not. So on the password change page there's still a link to compute the MD5 of the password you input and "check on Google". But of course the "Check password strength" link in the Forum settings is gone since the MD5 is not stored anymore.
Back to top
View user's profile Send private message Visit poster's website AIM Address My Anime My Manga
Display posts from previous:   
Reply to topic    Anime News Network Forum Index -> Site-related -> Bugs & Technical Questions All times are GMT - 5 Hours
Page 1 of 1


Powered by phpBB © 2001, 2005 phpBB Group