MD5
MD5 (short for Message Digest algorithm 5) is a cryptographic hashing method used by esoTalk and esoBB for storing non-sensitive information.
In the past, esoTalk used MD5 to store account passwords, among other things. However, increased computing power proceeded to compromise the security of MD5 as a method of storing sensitive information, which prompted esoBB to replace PHP's md5() function with bcrypt within the login controller, among others. This is in spite of the fact that, because the software has salted password hashes since esoTalk beta, there is no direct threat to account security posed by the use of MD5. Regardless, since it is no longer inefficient for most processors to use stronger cryptography in this manner, esoBB delta 2 treats bcrypt as the default for new forums, unless configured otherwise.
esoBB continues to use the md5() function for hashing non-sensitive data into a more normalized form of string to be used within the database, as opposed to plaintext. However, since this is an unsalted hash, it can be converted back into plaintext using the hash alone. This is particularly ideal for storing irregular data, such as potentially syntax-breaking characters (like quotes and backward slashes) without risking the potential for SQL injection.
Due to the bcrypt function, PHP 5.1 and below versions must use MD5. Furthermore, esoBB accounts containing passwords made with bcrypt are impossible to be automatically downgraded to use with any version of esoTalk, even gamma. As such, esoBB delta 2 marks the first ever clean break with esoTalk in terms of compatibility, excluding the renaming of the esoTalk function, which was one of the earliest changes to the esoBB fork.
There is no known disadvantage to using bcrypt besides the more complex, and thus more computationally intensive, nature of the encryption method itself. The difference in computing power is made negligent by modern-day processing technologies, namely multithreading and an increase in floating point units (FPUs). There is, however, the unique advantage of preventing the database information from being used to log into accounts, since the password and salt are stored together using one string, rather than two strings. This means that, in practice, database leakage presents less of a risk to account security, whereas previously, the MD5 hash itself could be used to spoof a valid login in some rare cases. The exclusion of separate values is also more efficient because it compares two values instead of 3, making login credentials verifiable with only a singular database query, excluding fingerprinting.
MD5 remains highly common as a password hashing method, however Moore's Law reasons that computers will eventually be able to crack even salted MD5 hashes virtually as fast as they can be generated, therefore making it preferable to bruteforcing. In some cases, salted MD5s have been "unsalted" by using the hash and salt, but this remains an unlikely concern for esoBB, due to the impossibility of guessing either value without prior database access, thus negating any benefit to be had from cracking the password rather than simply changing it (or viewing the raw account data, thereby showing posts).
In a future update, esoBB may extend one-way hashing to the contents of posts as well, among other information which could stand to benefit from some level of encryption. This would effectively make a forum's database useless without a plaintext account password to unlock any relevant posts, and this is considered by admin to be a necessary prerequisite for making it possible to import/export databases directly from the admin settings view.
