But keep in mind that this forum is still based on 1.1.15. The current version is 2.0.2. I’m not sure if the 2.x-branch has improved in this respect (haven’t looked at the code to protect my eyes), but it might…
1.1.15 is the latest of the 1.x branch and just as secure as 2.x (which means it is horrible).
Found it! (took only 40min!)
SMF has at least 9 places where registration mails are sent. :persecutioncomplex:
Heh. Riven, you do great work for us all. It’s appreciated, bro.
I’m not saying its secure with sha512 but its an obviously thing to do and better than PLAINTEXT
well of course thats kinda an oxymoron, since there no such thing as “more” or “less” secure, only effective or not
but you know - plaintext passwords just baffle me
and opposed to sql injection and stuff not as hard to avoid.
This reasoning is exactly what I mean with ‘false sense of security’.
Excuse my french, but hashing a password with sha512 is worth shit. You could just as well have stored the password in plain text. There are more than enough rainbow tables available to ‘convert’ the hash back to the original value (with a high probability). What you need to do is salting your hash. Only then you make it nearly impossible to ‘recover’, other than bruteforce.
To be exact, 1.1.16 is the latest…but i doubt that it’ll help much either… 
Running 1.1.16 now. Thanks for the heads up.
sure. salting is mandatory. and with it, sha512 hasn’t shown collisions, afaik
SHA512 has 512 bits (64 bytes).
Computing all hashes from all possible unique files of 65 bytes, you will find at least 256 collisions.
Computing all hashes from all possible unique files of 66 bytes, you will find at least 65536 collisions.
Computing all hashes from all possible unique files of 67 bytes, you will find at least 16777216 collisions.
I’m no security expert.
[quote]SHA-2 - SHA-512/384, Collisions found: none
[/quote]
So I thought, with everything below SHA-2, including obviously stuff like md5, collisions have been found; therefore they are insecure.
[quote]What you need to do is salting your hash.
[/quote]
thats simple just use the user name.
user name +password->hash->db
(user name name is stored in plain text with the hashcode) in db.
I know that that sounds strange but its “secure”.
thats simple just use the user name.
user name +password->hash->db
(user name name is stored in plain text with the hashcode) in db.
I know that that sounds strange but its “secure”.
[/quote]
It doesn’t sound strange, it’s “obvious”.
So I thought, with everything below SHA-2, including obviously stuff like md5, collisions have been found; therefore they are insecure.
[/quote]
This should be obvious? >_> I mean, a 512-bit hash can only hold a certain number of different values (as many as a Java long), so it’s obvious that 2 or more passwords longer than 64 bytes will end up with the same hash. If this wasn’t the case then hashes could be used for file compression to compress any file to 64 bytes. Yaaaay.
Update or change to MyBB, much more secure. They are free and provide a merge tool. ;D
What kind of wonky math are you doing? ;D
file compression ?
sha are hash functions. its not RSA. you cant decrypt a hash to the original content =0
@Cero
He meant that if there were no collisions in SHA-512 at all, then you could be able to get the original content of any file using the hash.
huh thats messed up. not sure what the links are for. Must have been really old links from way back when I first
signed up for this forum.