-2

I've seen a lot of topics about hashing and salting a password and then comparing them with the hash and salt in a MySQL database, however none of them really helped.

They were either really 'vague' or not in the right coding language.

I am coding in Visual Basic.

So, I'm using a Forum Software called 'MyBB' and it encrypts the user's password to a MD5 Hash and generates a salt alongside it.

I have successfully connected to the MySQL database and I'm able to login with my application using the Username, however because I haven't yet hashed the password and salted it then compared the two.. I'm unable to login using my original password - instead I have to use the MD5 hahsed password from the database.

My question is: How do you Hash the password then salt it and then compare it the two so that I'm able to login using my original password without having to use the MD5 hash from the database?

Any help would be appreciated.

I have searched and read numerous amounts of topics, however none of them provided how to do it. It briefly mentioned you need to hash it and salt the password then compare the two, however it didn't provide any code or steps of how to do it. Also there is little topics on doing this in Visual basic. Most of them are for php and c# which is not helpful when you don't primarily code in those languages.

Mathieu Guindon
  • 69,817
  • 8
  • 107
  • 235
Blooberz
  • 1
  • 1
  • 2
    Every software does it a bit differently, you'd need to check MyBBs source code to learn how exactly they do it. – tkausl Jan 21 '19 at 18:03
  • Isn't _MyBB_ a PHP-based system? When you say you are coding in Visual Basic, how exactly? Also, is it Visual Basic or VBA (which are different)? – Martin Jan 21 '19 at 18:05
  • @MartinParkin Yes MyBB is a PHP-Based system. When I say I'm coding Visual Basic. I am coding an application that allows user's from the forum to sign in on the application using their credentials they singed up with, so I am using the mysql database where their data is stored and connecting it to it using visual basic. Visual Basic & Vba are the same just one is a shorter abbreviation. – Blooberz Jan 21 '19 at 18:15
  • @tkausl Hmm.. yes.. the only problem I have is I really don't know any php. I have the file where they have a function that generates a random salt etc, however it's in php. Which makes it a little more difficult as I am not that experienced with php. – Blooberz Jan 21 '19 at 18:27
  • 4
    "Visual Basic & Vba are the same just one is a shorter abbreviation" -nope nope! – Tim Williams Jan 21 '19 at 18:40
  • Is this VB or VBA? One is a .NET language, the other runs off COM and hosted inside a host application, such as MS Excel. The two are quite massively different beasts. With .NET you get the whole framework to help. If this is VBA then you're going to have a much harder time, but I'm not the one to say it's going to be impossible (noting .NET's COM-visible crypto classes can probably be used from VBA). – Mathieu Guindon Jan 21 '19 at 18:51
  • @MathieuGuindon Oops.. I thought VBA was VB but just a short version. I am using Visual Basic not VBA. – Blooberz Jan 21 '19 at 19:27

1 Answers1

0

Hashing and salting fell out of style in the 1990s, and MD5 is such a terrible choice for hashing in general, and passwords in particular, that you should never use it.

The recommended way is to use password_hash to properly hash passwords, and password_verify to verify them.

Both of these use Bcrypt by default, a password-specific hash that's very hard to crack.

You can use Bcrypt in both PHP and other languages, it's a well-defined standard that's supported by .Net applications just the same. MD5, even "salted", is completely inadequate and needs to be replaced immediately.

I'd strongly suggest you switch over to Bcrypt-based passwords as soon as you can and migrate all your users over from MD5 to Bcrypt. Each time they log in you can update the password field if you know the MD5 hash matches.

For an example of how utterly useless MD5 is, search for 73868cb1848a216984dca1b6b0ee37bc.

tadman
  • 208,517
  • 23
  • 234
  • 262
  • Hmm thanks for the suggestion, however, I'm not experienced with hashing and salt passwords. So, changing it to Bcrypt will be 10x harder if I'm not able to hash and salt the passwords. I need to hash and salt the users password and compare it with the database, however I don't know how do to this. The information online is how to 'store' I don't want to 'store' I want to match the existing md5 hash and salt, so the user can log in with the original password the signed up for. – Blooberz Jan 21 '19 at 18:22
  • Changing to Bcrypt is relatively easy, `password_hash` does *everything* for you. Hashing and salting is **not in any way secure**, it's a terrible system that will be a gigantic liability for you. Update your BB software to use `password_hash` and then the equivalent in VB is easy. If you do go ahead and implement MD5 hashing you're only going to make it harder to fix the problem later, and this problem must be fixed. – tadman Jan 21 '19 at 18:23
  • 1
    You keep saying that hashing and salting is insecure, `password_hash` does exactly that so I don't get the point. Also I don't see how this answer helps OP in any way. – tkausl Jan 21 '19 at 18:32
  • @tkausl While internally it does hash and salt, it does this correctly and in a way that requires only one field. It also uses Bcrypt which is extremely important here. MD5 was intended to be a *high-speed* hash and was never suited for password storage. Bcrypt is a password-specific hash that is extremely hard to brute-force by design, and can be made arbitrarily more difficult for higher security needs. Storing passwords with MD5 in 2019 is completely unacceptable for even the most basic applications. – tadman Jan 21 '19 at 18:37
  • @tkausl Old systems used to have separate hash and salt fields and these are trivial to crack, especially with [GPU-optimized crackers](https://hashcat.net/hashcat/). It's not secure. It's must be replaced. If you don't do this there's a very high probability the site is also lacking in other critical areas and the backing database will get stolen and leaked. – tadman Jan 21 '19 at 18:39
  • I agree about the MD5 part but you specifically said "hashing" (and salting) is insecure instead of "using a weak hashing algorithm is insecure". Also, I don't see why having hash and salt in separate fields should be less secure than having them in the same field. Don't get me wrong, I do agree that `password_hash` should always be used, but this doesn't necessarily make other methods of salting, hashing and storing a password insecure. – tkausl Jan 21 '19 at 18:41
  • @tkausl It's not the separation that's insecure, but that it's almost always a sign that someone's not using Bcrypt or something equivalent and is doing it wrong. Bcrypt does not produce two outputs, just one of the form `$2y$10$...` where that field combines the hashing algorithm, the difficulty setting, the salt, and the resulting hash into one string. The salt/hash approach doesn't do this and makes a huge number of assumptions about how those values are to be used. Seprate values is an obsolete and honestly downright dangerous method of storing passwords. – tadman Jan 21 '19 at 18:44
  • @tkausl So in other words, if your password hashing library doesn't output in [Modular Crypt Format](https://passlib.readthedocs.io/en/stable/modular_crypt_format.html) it's probably obsolete and shouldn't be used. This format can accommodate legacy forms like MD5 if necessary to make transitioning from MD5 to Bcrypt as seamless as possible. `password_verify` can verify MD5 salt/hash pairs if they're rewritten in that form, one step towards replacing them with proper Bcrypt hashes. – tadman Jan 21 '19 at 18:48
  • 1
    This is getting pretty abstract. OP, just open the nuget package manager in visual studio and search for & install BCrypt.net, and use the two function calls. That's all you have to do, bcrypt handles the rest. `BCrypt.HashPassword("Password123", BCrypt.Net.BCrypt.GenerateSalt())` to get a hashed value to save to your database, and `BCrypt.Verify("ProvidedPassword", "SavedHashedPassword")` to verify that a given password hash matches what you have saved in your database – soohoonigan Jan 21 '19 at 19:37
  • 1
    @soohoonigan Hmm yeah however I have not implemented BCrypt. I'm still using the md5 method. I understand that md5 was meant to be a high-speed hash and I thank you for your advice that I should change to BCrypt to improve security, however the problem is.. I am not experienced how all of this works. So, instead of jumping into the deep end. I would rather prefer to learn how to hash and salt an md5 hash and then compare the hash and salt to the database. Just so I learn how hashing and salts work. Then once I can do that.. then I'll think about changing it to BCrypt. – Blooberz Jan 21 '19 at 19:43
  • I'd start with Bcrypt, look at the Modular Crypt Format, and work backwards to hash/salt. Look at the PHP code in particular and make a VB equivalent. – tadman Jan 21 '19 at 22:06