Does SMF md5 hash then salt the passwords?

[Jake :)]

Does SMF md5 hash then salt the passwords? Can I make SMF stop doing this and just MD5 them? I want to run a 'Most Secure Password' competition to encourage my users to have secure passwords.

Afford

[karlbenson]

SMF uses salted SHA1 (the username used as salt)

MD5 is not suitable to use for passwords since it was broken.

[Jake :)]

Can I get a MOD that changes it from SHA1 to MD5? I don't mind it being cracked, I take regular backups and will disable the MOD & change everyones pass if it does get hacked.

[karlbenson]

I don't know of a way to do it.

SMF doesn't actually store your password, it only stores the hashed version.
So after registration, smf doesn't know what your password is.

When you login, javascript hashes the password client-side, so that a raw password isn't sent unsecured.
So smf then matches the two hashes.

So your going to have some difficulty there.

[greyknight17]

Welcome to SMF.

If you just want them to use a secure password, you can set the password security level to high in Admin->Registration->Settings tab.

If this is for some competition/game like you said only, then you might want to try requesting it in the Mod Requests board to see if anyone has ideas on how to do this. I'm not sure if this will be a easy task though.

It's a one way deal for the salted SHA1 that SMF uses. So it will be nearly impossible to break the password.

[Jake :)]

I've thought of a way;

Sending the password chosen on registration to a log file with their username before it's SHA1ed.

[anboni]

This seems rather silly, trying to increase security awareness, but introducing a potentially pretty major securityhole to do so

Normally, the password itself doesnt get sent over the wire, but to store it locally you will have to do so.. And I won't get started on actually storing passwords in a file (even if they're encrypted, you're going to need reversible encryption to do what you want to do.)

[Jake :)]

What, sending a password is that hard?

Wow.

[TosaInu]

Hello Afford,

It's a good idea to raise awareness, quite some people think 123 is a password. When it goes wrong, it can cause quite some disruption in communities.

I'm not sure about a competition though. How to check it? And if you can check it, is it appreciated? Members want a secret password.

Maybe you should start a topic and run the competition like submitting the best plans to make a strong password and the easiest to understand explanation why it is important?

Passwords do not only have to be strong, it also needs to be understood why it has to be that way and they need to be convenient to use.

For example: I can submit Xc54FreT3$^hgTr76aS@!p[ILOrW and may win the competition. But that's not a convenient password, nor does it convince anyone to follow 'lead'. Quite some people will think I'm just showing off just to win the competition: pfft! abcd works too and can be remembered!

But when I explain the difference in time to crack 4 random lowercase characters and 4 upper/lower case mixed characters, explain that it will become even harder when you mix in numbers and special signs/more characters and come with a good suggestion to create unique, strong and easy to remember passwords, it may convince people to do it too.

[Rumbaar]

Can I ask why you can't have a 'most secure password' competition with the current method of encryption?  Even though for the most part you'll not be able to fully test any password