IP.Board password hashing is no longer secure

[bfarber]

Those participating in this discussion looking for good solutions to provide additional security may be interested in the following marketplace two-factor authentication addons


http://community.invisionpower.com/files/file/5731-2-factor-authentication-for-acp/


Changing the hashing algorithm is NOT something to be done lightly. It would need fallbacks, users who haven't logged in since the change would still have passwords hashed based on previous version algorithms, etc. There's a lot that would need to be taken into account.

[GIANT_CRAB]

Changing the hashing algorithm is NOT something to be done lightly.

Agreed.

I also understand that IP.Board password hashing is not that /great/.
However, there are factors to put into consider:

Is it really needed to change the hashing method when new hashing algorithms are broken sooner or later?
Your site must be hacked before the hackers acquire the hashed password; wouldn't it be better to fix your site's loop-holes than to "upgrading" IP.Board's password hashing algorithm?

[Ryan H.]

Is it really needed to change the hashing method when new hashing algorithms are broken sooner or later?

Your site must be hacked before the hackers acquire the hashed password; wouldn't it be better to fix your site's loop-holes than to "upgrading" IP.Board's password hashing algorithm?

Not all loopholes can be 'fixed'... people are always a problem.

[Wolfie]

Is it really needed to change the hashing method when new hashing algorithms are broken sooner or later?

Your site must be hacked before the hackers acquire the hashed password; wouldn't it be better to fix your site's loop-holes than to "upgrading" IP.Board's password hashing algorithm?

Double edged sword on this. On the one hand, finding ways to improve security, without going to extremes, is always a good idea. On the other hand, you don't want to make it so that people despise your site because of the hassle they have to go through to join or sign-in.

You mention about the algorithms being broken 'sooner or later', using that same argument, what's the point of using passwords at all? Even with safeguards in place to make it more difficult, someone could still attempt and eventually hack their way into someone's account. It would only be a matter of time. Granted, it could take years or even decades, but that would still fall under "sooner or later" when you think about it.

So yes, there is a need to change it. The issue is it being something that would work on all sites, either because a certain method is automatically supported or from a fall-back method developed by IPS that would generate the same result without getting too complex or using much (if any) additional resources.

Yes, a site has to be hacked so that the data can be obtained in order to start cracking the passwords. I don't think anyone will argue with that point. It's a matter of making it so that the data is somehow useless or will at least require some additional effort or time in order to crack those passwords. Can't make it hardware dependent because if someone changes to another hosting company, all passwords are useless. Can't just make it an additional file, hacker can just download that file. One of those "lose-lose" situations. Oh well, if there's a way to get around those obstacles, then I'm confident the IPS devs will come up with it.

Not all loopholes can be 'fixed'... people are always a problem.

Social engineering, a reminder that you can't program people as you would a computer.