The forum will pay 40 BTC for a patch to SMF version 1.1.16 upgrading password hash security.
You should use these PHP functions I've written for doing the actual hashing:
//salted SHA-256 with 7500 rounds
define('CRYPT_PARAMS', '$5$rounds=7500$');
//get $bytes bytes of secure random binary data
function urandom($bytes)
{
$file = fopen('/dev/urandom', 'rb');
$result = fread($file, $bytes);
fclose($file);
if(strlen($result) < $bytes)
die('urandom byte length mismatch');
return $result;
}
//hash and salt a new password for insertion into the database
function newpass($pass)
{
return crypt($pass, CRYPT_PARAMS . base64_encode(urandom(12)) . '$');
}
//compare a provided password with the hash in the database
function password_is_valid($entered_password, $db_hash)
{
return crypt($entered_password, $db_hash) === $db_hash;
}
//old password comparison:
//sha1(strtolower($user) . $entered_password) == $db_hash
//new password comparison:
//password_is_valid($entered_password, $db_hash)
You need to do this:
- In LogInOut.php, upgrade SMF SHA-1 hashes to these new hashes automatically. Also, update any passwords that pass password_is_valid() but have a different CRYPT_PARAMS prefix than is being used currently.
- Change all old password comparisons to the new method.
- Wherever passwords are updated, use newpass() instead of SMF's method.
-
Thoroughly test all aspects of this modification. I am mostly paying someone to do this change instead of doing it myself because bugs in this would create a huge mess and I therefore want someone more experienced in software testing to do it.
Hint: SMF has a "salt" column in the database and a "passwordSalt" variable, but these aren't actually used for password hashing. You only need to deal with the "passwd" column/variable.
PM me or post here if you're interested. I will pick the best candidate in a week or two. You should only apply if you're already pretty well-trusted in the community.
(Do not post in this thread about how you prefer another hashing method.)