Author |
Message |
Sharpner
Joined: Wed Feb 10, 2010 6:32 am Posts: 26
|
Forum PW's...
hi, I have a favor to ask... could you store the user pw's of the forum in some kind of encrypted way? after my registration I got the pw in plain text which kinda bugs me... even md5 would be fine. Thanks
|
Wed Feb 10, 2010 2:34 pm |
|
|
Michael
Joined: Sat Jul 25, 2009 6:10 am Posts: 112 Location: United Kingdom
|
Re: Forum PW's...
Well, I'll assume you're using PHP. Try the MD5 Function: Let's assume that you user enters there password as plain text (obviously starred out (*****) on the form), and this is stored in the variable "$password". The function would be like so: Code: $encryptedPassword = $password
echo md5($encryptedPassword) You could then add in some other details to get the password and create a login function.
_________________ Thanks, Michael Sammels
OS Developing is 10% luck, 20% skill, 15% concentrated power of will. 5% pleasure, 50% pain, and a 100% reason continue the game.
|
Fri Feb 12, 2010 4:50 am |
|
|
Sharpner
Joined: Wed Feb 10, 2010 6:32 am Posts: 26
|
Re: Forum PW's...
I don't want to use it for me.. I hope it will be used in this board.
I know how it works, I just wondered why I got my pw plain text per email when I registered... and I wouldn't use normal md5 anymore.. either sha1 or salted md5 would be safe enough...
but thanks anyways xD
|
Fri Feb 12, 2010 6:14 am |
|
|
Kieran
Site Admin
Joined: Sat Jul 25, 2009 7:44 am Posts: 274 Location: United Kingdom
|
Re: Forum PW's...
Im sorry, I dont know any forum systems that deliver passwords to users in an encrypted/hashed form. I have no idea how the passwords are stored in the database, but this should not be of concern to yourself, unless you are going to post personal/private data on your profile and in your posts. Even if the passwords are stored via a hashing algorithm, delivery of the password would still be in plain text form, but sent to you before being encrypted/hashed, then stored in the database. A good way to tell if a database is hashed is to follow the lost password link, any site that provides a lost password does not use hashing, because if it did it would have to randomly generate a new one or ask you to provide a new password supplying, for example; answers to personal questions, secret question...
_________________ Thank you for reading,
Kieran C G Foot
|
Sun Feb 14, 2010 1:20 pm |
|
|
DudeOfX
Joined: Sat Jul 25, 2009 9:15 am Posts: 257
|
Re: Forum PW's...
I am starting to suspect that some of the spam that we get are attempts to break in rather then make money... soooo, I'm gonna ask if anybody here has some hacking knowledge to go and test this system and report back so it can be fixed...
|
Mon Feb 22, 2010 2:01 pm |
|
|
Kieran
Site Admin
Joined: Sat Jul 25, 2009 7:44 am Posts: 274 Location: United Kingdom
|
Re: Forum PW's...
What do you mean mate?
_________________ Thank you for reading,
Kieran C G Foot
|
Tue Feb 23, 2010 5:32 am |
|
|
DudeOfX
Joined: Sat Jul 25, 2009 9:15 am Posts: 257
|
Re: Forum PW's...
what motives do spammers have? I was deleting some spam thinking how could a spammer possibly think he/she can make money doing this... so it dawned on me... hacking... cause I remembered an SQL injection video I watched a while back when the guy said something like... "all you gotta do is get the admin to click on it"...
and I was hoping to have a friendly hacker among us who knew a trick or two and to try it out on the system and then let us know so it can be fixed or watch out for...
|
Tue Feb 23, 2010 10:05 am |
|
|
Kieran
Site Admin
Joined: Sat Jul 25, 2009 7:44 am Posts: 274 Location: United Kingdom
|
Re: Forum PW's...
I think I have seen the same thing. It's a fault built into the base forum code as I remember. I can take a look into it if you like, but I think Michael may make a better php hacker.
_________________ Thank you for reading,
Kieran C G Foot
|
Tue Feb 23, 2010 6:23 pm |
|
|
ctimko
Joined: Wed Oct 14, 2009 9:39 am Posts: 198 Location: United States
|
Re: Forum PW's...
This server doesn't have a SSL certificate, so anyway it goes, your password will still be sent unencrypted across the network.
_________________ Charles Timko push %esp ;Musings of a computer addict
|
Fri Aug 06, 2010 7:04 am |
|
|
Kieran
Site Admin
Joined: Sat Jul 25, 2009 7:44 am Posts: 274 Location: United Kingdom
|
Re: Forum PW's...
But, snce most people will access this website from home, more then likely via a wireless router, possibly with a wiredconnection for their main computer.
As long as the router is secured and the loca exchanges are the then your data is secure from all but government agencies.
As far as I can see the main security risk would be ARP (Arp Posion Routing) to re-route network traffic, but this requires a direct link with the client, which would be hard to achieve if the correct security is used i.e. WPA2 or a network using a Radius server for network authenticaton.
_________________ Thank you for reading,
Kieran C G Foot
|
Tue Aug 10, 2010 9:18 am |
|
|
Who is online |
Users browsing this forum: No registered users and 4 guests |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum
|
|