elx_users hashing

[jhouns]

[moved from other thread]
Currently the system hashes passwords like this:

Code: [Select]

$password = md5($password);

but regardless of your password it's pretty much always (or so it seems) found in an online "decryptor". So why not salt it? Well there's still a good possibility to crack it or brute force it down if you can download the source code of elxis and just copy->paste the salt out. Here's what I suggest:

An X salted MD5 hash be used to prevent simple decryption of the user passwords (which so far is very possible)

Code: [Select]

function getMD5String($password = '')
{
      if($password != '')
      {
             $origSalt = "someSalt"; //except have this read from an input in installation (or randomly generated on install).
             $newMD5 = $password; //You can remove this and just change $newMD5 to $password (was just clearer to see this way)
             $newSalt = MD5($origSalt);
             for($i = 0; $i < 4; 4i++)
            {
                   $newSalt = MD5($origSalt, $newSalt); //Rehashes itself upon each iteration 
                   $newMD5 = MD5($newSalt, $newMD5); //Rehashed X amount of times on a mutating salt (prevents decryption by sites like http://www.md5decrypter.co.uk/)
            }
      }
      return $newMD5;
}

In terms of what to do when you forget your super administrator password, create a page that you manually navigate to that will generate the phrase "test123" using this function, as opposed to using a preset hash and insert it into the database as you currently do. That way, passwords, even when accessed can't be decrypted (with ease). The SA passwords can't be recovered still, but can be reset back to a default ("test123") using the same method in use today.

[datahell]

Elxis 2009.x derives from mambo cms and it is some sort of outdated in some areas.
This is why we developed Elxis 4.0.
This new version uses dynamic password salt and a special encryption function.

[jhouns]

AHHH That would show where the version I was currently experimenting with was potentially outdated, it used a standard MD5 hash that was completely unsalted and was easy to circumvent.