Hacker News new | past | comments | ask | show | jobs | submit login

It's vBulletin 3.8.x

The passwords are hashed and salted using this:

    md5(md5(password + user_salt))



Running a hash function directly on a hash makes little sense. You probably meant:

    md5(md5(password) + user_salt)


[edit]I'm wrong, you're right[/edit]

Just re-checked... the line is this:

    md5(md5($vbulletin->GPC['password']) . $vbulletin->userinfo['salt']))
I got confused by the last bracket closing an outer conditional.


Most likely they have another authentication backend.


Not for Steam forums they don't, they're using vBulletin and it doesn't appear to be modified beyond the theme.

That Steam forums requires a separate registration shows that there is unlikely to be any integration between Steam and the forum software.

However their point is that if you used the same username and password on both the Steam forums and Steam itself (with likely the same username) then by virtue of Steam forums being compromised, your main account should be considered compromised.


Double MD5‼ To be extra secure‼




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: