Heya, welcome to omnimaga!
Do you know how to program yet?

Soooooo, the new Star Wars movie is out! (in Europe at least)
I already saw it and, I must say, I liked it quite some!
I was surprised they said the movie was by lucasarts and not by disney
It felt so....unreal to see star wars on the big screen, lol

Expect spoilers in this thread!

Anyhow, spoilery stuff:

We also have chrismas heading up, which usually keeps quite some users busy and thus the forum activity decreases.

You have Thing Explainer? Nice!

Oh, also, have a birthday muffin:

Quote from: Sorunome on December 08, 2015, 03:00:15 pm

If the user has JS disabled the password will be sent as-presented to the server and will be handled there, the user still gets to log in.

Sounds good. So it's just more secure to leave JavaScript enabled on the site

Exactly, that's the point

So yeah guys,
You probably noticed that due to the recent hacking stuff I started making an SMF mod to drastically improve login security.

Well, how it goes with security it is best if it is discussed by multiple people, thus me making this thread (even though I believe my concepts to be secure currently, it's best to check back with others).

The current code can be found here: https://github.com/Sorunome/SMF-bcrypt


The concepts are:

Storing passwords
Using PHP's password_hash with PASSWORD_DEFAULT to hash+salt the passwords, storing the result in the DB.
I chose this way as it currently uses bcrypt with the perspective to the future to automatically upgrade to a stronger alg without the need to change any code

Transmitting passwords to server
Even though this should be fairly simple as we use https, it's still a good idea to add some extra security to that, especially since I plan to release this mod to normal SMF people who may not have https.
For that, as soon as the user hits login, there will be an AJAX request to fetch an RSA public key which was created in that instant and will only be valid for one min. The client will encrypt the password using that RSA public key, the server will then decrypt using the stored private key. Again, these temporary keys are only valid for one minute and can only be used once, they will be deleted right after being used.

Login cookies
For this I generate a random string (16 bytes) which gets hashed with password_hash using the PASSWORD_DEFAULT method. The actual random string will be set as cookie, the hash reaches the database. So each page load I check against that.
In addition each hash/pwd goes along with an index so that multiple sessions are possible.



So, any thoughts?

why would they even use md5......you should report it to phpBB devs ^.^