Bona Fide OS Development
http://forums.osdever.net/

Forum PW's...
http://forums.osdever.net/viewtopic.php?f=15&t=163
Page 1 of 3

Author:  Sharpner [ Wed Feb 10, 2010 2:34 pm ]
Post subject:  Forum PW's...

hi,
I have a favor to ask...
could you store the user pw's of the forum in some kind of encrypted way?
after my registration I got the pw in plain text which kinda bugs me...

even md5 would be fine.

Thanks :)

Author:  Michael [ Fri Feb 12, 2010 4:50 am ]
Post subject:  Re: Forum PW's...

Well, I'll assume you're using PHP. Try the MD5 Function:

Let's assume that you user enters there password as plain text (obviously starred out (*****) on the form), and this is stored in the variable "$password". The function would be like so:

Code:
$encryptedPassword = $password

echo md5($encryptedPassword)


You could then add in some other details to get the password and create a login function.

Author:  Sharpner [ Fri Feb 12, 2010 6:14 am ]
Post subject:  Re: Forum PW's...

I don't want to use it for me..
I hope it will be used in this board.

I know how it works, I just wondered why I got my pw plain text per email when I registered...
and I wouldn't use normal md5 anymore.. either sha1 or salted md5 would be safe enough...

but thanks anyways xD

Author:  Kieran [ Sun Feb 14, 2010 1:20 pm ]
Post subject:  Re: Forum PW's...

Im sorry, I dont know any forum systems that deliver passwords to users in an encrypted/hashed form.
I have no idea how the passwords are stored in the database, but this should not be of concern to yourself, unless you are going to post personal/private data on your profile and in your posts.
Even if the passwords are stored via a hashing algorithm, delivery of the password would still be in plain text form, but sent to you before being encrypted/hashed, then stored in the database. A good way to tell if a database is hashed is to follow the lost password link, any site that provides a lost password does not use hashing, because if it did it would have to randomly generate a new one or ask you to provide a new password supplying, for example; answers to personal questions, secret question...

Author:  DudeOfX [ Mon Feb 22, 2010 2:01 pm ]
Post subject:  Re: Forum PW's...

I am starting to suspect that some of the spam that we get are attempts to break in rather then make money... soooo, I'm gonna ask if anybody here has some hacking knowledge to go and test this system and report back so it can be fixed...

Author:  Kieran [ Tue Feb 23, 2010 5:32 am ]
Post subject:  Re: Forum PW's...

What do you mean mate?

Author:  DudeOfX [ Tue Feb 23, 2010 10:05 am ]
Post subject:  Re: Forum PW's...

what motives do spammers have? I was deleting some spam thinking how could a spammer possibly think he/she can make money doing this... so it dawned on me... hacking... cause I remembered an SQL injection video I watched a while back when the guy said something like... "all you gotta do is get the admin to click on it"...

and I was hoping to have a friendly hacker among us who knew a trick or two and to try it out on the system and then let us know so it can be fixed or watch out for...

Author:  Kieran [ Tue Feb 23, 2010 6:23 pm ]
Post subject:  Re: Forum PW's...

I think I have seen the same thing. It's a fault built into the base forum code as I remember. I can take a look into it if you like, but I think Michael may make a better php hacker.

Author:  ctimko [ Fri Aug 06, 2010 7:04 am ]
Post subject:  Re: Forum PW's...

This server doesn't have a SSL certificate, so anyway it goes, your password will still be sent unencrypted across the network.

Author:  Kieran [ Tue Aug 10, 2010 9:18 am ]
Post subject:  Re: Forum PW's...

But, snce most people will access this website from home, more then likely via a wireless router, possibly with a wiredconnection for their main computer.

As long as the router is secured and the loca exchanges are the then your data is secure from all but government agencies.

As far as I can see the main security risk would be ARP (Arp Posion Routing) to re-route network traffic, but this requires a direct link with the client, which would be hard to achieve if the correct security is used i.e. WPA2 or a network using a Radius server for network authenticaton.

Page 1 of 3 All times are UTC - 6 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/