You are not logged in. Log in now?

Show a Story

WBB3 Password Hashing

Ever wondered how Woltlab's Burning Board 3 (WBB3) hashes passwords? The default configuration does it like this:

Salt: Each user gets an individual salt value, which is a SHA1 hash of a random value (let's call that r). The implementation is a bit more involved, but for the sake of argument, let's just say it's a 40 hex-character string s from [a-z0-9].

Hash function: You may now think that for a password p, the hash is simply calculated as SHA1(s+p), but you'd be wrong. First, the hash by default uses double-salting. Second, there are more SHA1 invocations than you'd think. The full hash function turns out to be:

h = SHA1(s+SHA1(s+SHA1(p)))

Fun, eh? Now remember that s = SHA1(r), and expand the above line accordingly.

By Shadowdancer, 2009-04-14, 17:20; permalink;
Last updated at 2009-04-14, 17:21 by Shadowdancer

Powered by merb 1.1.0 and DataMapper 0.10.2.