BCrypt Password Hashing

[Admin]

This is a 'howto' use bcrypt for your password hashs, instead of the default vBulletin one, which is highly insecure.








More information about BCrypt can be found here: http://codahale.com/how-to-safely-store-a-password/ - http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/


tl;dr: if you want to be moar secure, use bcrypt.




" How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password yaaa in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a microsecond."




BEFORE YOU DO THIS, PLEASE CREATE A .PHP FILE WITH THIS IN IT

<?php
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
    echo "CRYPT_BLOWFISH is enabled!";
}
else {
    echo "CRYPT_BLOWFISH is not available";
}

If it is not available, please contact your host.








/includes/functions.php
Add this to the end, just before the footer message.

/**


White-Hat work by http://www.internot.info/
More information regarding BCrypt: http://codahale.com/how-to-safely-store-a-password/ 
http://www.vbulletin.org/forum/showthread.php?p=2369367#post2369367


 **/
function hash_password_bcrypt($password, $salt) {
       $cost = 15; // must be in range 04 - 31


       // The salt can only contain the characters "./0-9A-Za-z" and the length must be > 2, so the input gets md5ed
       return md5(crypt($password, '$2a$' . sprintf('%02d', $cost) . '$'. md5($salt) . '$'));
}

includes/class_dm_user.php
Now..


Find this:

if ($password == md5(md5($this->fetch_field('username')) . $salt))

and replace it with this:

if ($password == md5(hash_password_bcrypt(md5(md5($this->fetch_field('username')) . $salt), $salt)))

Then, on the same file, replace this:

return md5($password . $salt);

with this

return md5(hash_password_bcrypt(md5($password . $salt), $salt));

includes/functions_login.php




Find this:

                       $vbulletin->userinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password, md5($md5password . $vbulletin->userinfo['salt']), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password_utf, md5($md5password_utf . $vbulletin->userinfo['salt']), '')

And replace it with this:

                       $vbulletin->userinfo['password'] != iif($password AND !$md5password, md5(hash_password_bcrypt(md5(md5($password) . $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt'])), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password, md5(hash_password_bcrypt(md5($md5password . $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt'])), '') AND
                       $vbulletin->userinfo['password'] != iif($md5password_utf, md5(hash_password_bcrypt(md5($md5password_utf . $vbulletin->userinfo['salt']), $vbulletin->userinfo['salt'])), '')

Please click 'Installed', will be much appreciated.
If any support is needed, please post. I will only support people who have clicked installed.