Bona Fide OS Developer
View unanswered posts | View active topics It is currently Tue Mar 19, 2024 5:07 am



Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2, 3  Next
 Forum PW's... 
Author Message

Joined: Wed Feb 10, 2010 6:32 am
Posts: 26
Post Forum PW's...
hi,
I have a favor to ask...
could you store the user pw's of the forum in some kind of encrypted way?
after my registration I got the pw in plain text which kinda bugs me...

even md5 would be fine.

Thanks :)


Wed Feb 10, 2010 2:34 pm
Profile

Joined: Sat Jul 25, 2009 6:10 am
Posts: 112
Location: United Kingdom
Post Re: Forum PW's...
Well, I'll assume you're using PHP. Try the MD5 Function:

Let's assume that you user enters there password as plain text (obviously starred out (*****) on the form), and this is stored in the variable "$password". The function would be like so:

Code:
$encryptedPassword = $password

echo md5($encryptedPassword)


You could then add in some other details to get the password and create a login function.

_________________
Thanks,
Michael Sammels

OS Developing is 10% luck, 20% skill, 15% concentrated power of will. 5% pleasure, 50% pain, and a 100% reason continue the game.


Fri Feb 12, 2010 4:50 am
Profile

Joined: Wed Feb 10, 2010 6:32 am
Posts: 26
Post Re: Forum PW's...
I don't want to use it for me..
I hope it will be used in this board.

I know how it works, I just wondered why I got my pw plain text per email when I registered...
and I wouldn't use normal md5 anymore.. either sha1 or salted md5 would be safe enough...

but thanks anyways xD


Fri Feb 12, 2010 6:14 am
Profile
Site Admin

Joined: Sat Jul 25, 2009 7:44 am
Posts: 274
Location: United Kingdom
Post Re: Forum PW's...
Im sorry, I dont know any forum systems that deliver passwords to users in an encrypted/hashed form.
I have no idea how the passwords are stored in the database, but this should not be of concern to yourself, unless you are going to post personal/private data on your profile and in your posts.
Even if the passwords are stored via a hashing algorithm, delivery of the password would still be in plain text form, but sent to you before being encrypted/hashed, then stored in the database. A good way to tell if a database is hashed is to follow the lost password link, any site that provides a lost password does not use hashing, because if it did it would have to randomly generate a new one or ask you to provide a new password supplying, for example; answers to personal questions, secret question...

_________________
Thank you for reading,

Kieran C G Foot


Sun Feb 14, 2010 1:20 pm
Profile WWW

Joined: Sat Jul 25, 2009 9:15 am
Posts: 257
Post Re: Forum PW's...
I am starting to suspect that some of the spam that we get are attempts to break in rather then make money... soooo, I'm gonna ask if anybody here has some hacking knowledge to go and test this system and report back so it can be fixed...


Mon Feb 22, 2010 2:01 pm
Profile
Site Admin

Joined: Sat Jul 25, 2009 7:44 am
Posts: 274
Location: United Kingdom
Post Re: Forum PW's...
What do you mean mate?

_________________
Thank you for reading,

Kieran C G Foot


Tue Feb 23, 2010 5:32 am
Profile WWW

Joined: Sat Jul 25, 2009 9:15 am
Posts: 257
Post Re: Forum PW's...
what motives do spammers have? I was deleting some spam thinking how could a spammer possibly think he/she can make money doing this... so it dawned on me... hacking... cause I remembered an SQL injection video I watched a while back when the guy said something like... "all you gotta do is get the admin to click on it"...

and I was hoping to have a friendly hacker among us who knew a trick or two and to try it out on the system and then let us know so it can be fixed or watch out for...


Tue Feb 23, 2010 10:05 am
Profile
Site Admin

Joined: Sat Jul 25, 2009 7:44 am
Posts: 274
Location: United Kingdom
Post Re: Forum PW's...
I think I have seen the same thing. It's a fault built into the base forum code as I remember. I can take a look into it if you like, but I think Michael may make a better php hacker.

_________________
Thank you for reading,

Kieran C G Foot


Tue Feb 23, 2010 6:23 pm
Profile WWW

Joined: Wed Oct 14, 2009 9:39 am
Posts: 198
Location: United States
Post Re: Forum PW's...
This server doesn't have a SSL certificate, so anyway it goes, your password will still be sent unencrypted across the network.

_________________
Charles Timko
push %esp ;Musings of a computer addict


Fri Aug 06, 2010 7:04 am
Profile WWW
Site Admin

Joined: Sat Jul 25, 2009 7:44 am
Posts: 274
Location: United Kingdom
Post Re: Forum PW's...
But, snce most people will access this website from home, more then likely via a wireless router, possibly with a wiredconnection for their main computer.

As long as the router is secured and the loca exchanges are the then your data is secure from all but government agencies.

As far as I can see the main security risk would be ARP (Arp Posion Routing) to re-route network traffic, but this requires a direct link with the client, which would be hard to achieve if the correct security is used i.e. WPA2 or a network using a Radius server for network authenticaton.

_________________
Thank you for reading,

Kieran C G Foot


Tue Aug 10, 2010 9:18 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2, 3  Next


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin and tweaked by the BF Team.