Feature Requests
Share ideas, discuss and vote on requests from other users in community
 

Secure Password Storage (User Accounts / Admin Accounts)

Gunter Grodotzki shared this idea 4 years ago
Completed

  • User Account Passwords are currently stored salted as MD5 hash in the Database (if enabled)
  • Admin Account Passwords are currently only stored as unsalted MD5 hash in the Database

I think it is not a secret with tools like http://hashcat.net/oclhashcat/ to dehash MD5 - even without Rainbow Tables - in a realistic timely matter.

Instead PHP's own password hashing function should be used (which is currently bcrypt), let PHP do the random salt generation and use a cost of at least 14.

The Technical Analyst Lawrence seems to be defending himself against implementing such a simple security enhancement. A no brainer really to make WHMCS more secure.

Best Answer
photo

Hi,

Thanks for taking the time to provide your feedback and votes. I'm pleased to advise that as of version 5.3.9 both the Bcrypt and SHA256-HMAC algorithms and hashing routines are supported.

If the PHP version of the web server is 5.3.7 or greater, then Bcrypt will be used. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, SHA256-HMAC will be used.

Comments (13)

photo
1

Just about any encryption technique has a decryption software somewhere on the internet.

photo
1

@Nathan Hilton: that statement is not fully correct.

  1. Password storage is usually done with "hashing" not with "encryption"
  2. Hashing is a one-way. You can not decrypt a hash back to the plaintext version
  3. Yet there are ways (brute force / rainbow tables / also depends on the strength of your password) to recompute the hash with different values, not always giving you the plaintext back, but giving you a string that will generate the same hash

But, your statement generally speaking has truth in it:

  1. Password storage, just like any other security feature in software (like encryptions) need to be updated with current methods, especially in those cases were older methods have faults, or are not anymore current
  2. MD5 is a very old method of hashing passwords. It is considered deprecated in favour of blowfish-crypt - there is no way one can still argument to use MD5 - no matter how much "salt" he puts in it.

So I'd be careful by saying "why upgrade our security when it will be hacked in X-Years again anyway" - instead lets get a mentality of "lets keep our security always upgraded to minimize attacks beforehand"

photo
1

Why do you want bcrypt? This can easily be decrypted - would you like your whmcs to be decrypted by hackers who may get into your database, get your clients credit card?

photo
1

I think it is good idea to ready something about bcrypt before you will post something like you did.

First at all bcrypt is using also as one-way hashing. Same as MD5. Instead of MD5, Bcrypt is receommended wordwide by many security experts as a replacemnt for MD5. Why? Because it is safer and it is one-way HASHING.

Here you have Bruteforce comparsion chart. And look where is bcrypt...

http://stricture-group.com/files/brutalis_benchmarks.pdf

PS what kind of person are you? You have your clients credit cards store in WHMCS database :D you are crazy! Sorry but :D :D :D

photo
1

I'm not talking about brute force - I'm on about decryption. It is 10x easier to decrypt bcrypt than it is MD5.

photo
1

ONEWAY == NO DECRYPTION

MD5 and Bcrypt Scrypt == ONE WAY HASHING not CRYPTHING

Learn the difference between encrypthion and hashing

photo
1

I know the difference as I've been doing development for 10+ years - I still don't see the reason you'd rather have Bcrypt rather than a built in feature for MySQL Databases - Both use the same method, one is just more recognized & safer than the other.

photo
1

Clearly you don't know the difference well enough!

It has been proven that MD5 is a weak algorithm because collisions are too common. Brute-forcing it can be done relatively fast because it's an algorithm that's been specifically designed to be light-weight and memory conserving.

Bcrypt is a lot safer because it keeps up with moore's law by implementing a cost. This cost makes hashing slower and it is also incorporated in the final result. This means that hackers must also use the same cost (and thus slowness) when brute-forcing, which makes it a lot more time-consuming to do so.

Also, you mentioned in your comment above that it's easier to decrypt Bcrypt than it is with MD5. Both are hashing algorithms and not encryption algorithms, and they're specifically designed to not ever be decrypted, by anyone!

I believe this is a good article related to the issue (Yeah, they knew about MD5's weaknesses back in 2011)

photo
photo
1

Im also in favor of bcrypt. For hashing of course.You should never store passwords encrypted. Salted and hashed and bcrypt makes it harder to compute your dumped database for an attacker. Here is a good read:

https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-how-your-passwords-are-stored

photo
1

Hi,

Thanks for taking the time to provide your feedback and votes. I'm pleased to advise that as of version 5.3.9 both the Bcrypt and SHA256-HMAC algorithms and hashing routines are supported.

If the PHP version of the web server is 5.3.7 or greater, then Bcrypt will be used. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, SHA256-HMAC will be used.

photo
1

How will this work for upgrades? I want all passwords to use bcrypt so I assume there is a conversion process to be done, maybe next time the user changes his password or by forcing a password reset on accounts?

photo
1

I'm curious about this as well. Once you are using a version of PHP that supports it, will all relevant passwords be rehashed using bcrypt?

photo
1

Because the password is stored as a hash, we can't auto convert. Instead the password is rehashed with the strongest password hashing available on each login.

photo