Jump to content
TSM Forums
Sign in to follow this  
Guest cobainwasmurdered

Dealing with Stolen Passwords, please read

Should We Change to email logins?  

36 members have voted

  1. 1. Should we?

    • Yes
      20
    • No
      16


Recommended Posts

Guest cobainwasmurdered

Recently there has been a number of old accounts stolen and used to spam the board as well as other attacks. The new admin group has been talking with the big boss (Mike aka Adminbot) and he suggests switching to everyone logging in with their email addy instead of whatever name they are using on the forum to make it harder for the accounts to be stolen.

 

I know that alot of people don't use the same email addys as when they joined so I made this a poll.

Share this post


Link to post
Share on other sites
Guest cobainwasmurdered

We can also inform via pm anyone who needs to know what their email is, and they can change the email account in the control panel.

Share this post


Link to post
Share on other sites

To change your email do the following: Click MY CONTROLS (top right of the forums) --> Look for Change Email Address (on the left side menu, under options) --> here it will display your current email and also give you a chance to change your email. If you change it, you will have to confirm it by clicking a link in the email it sends you.

Share this post


Link to post
Share on other sites

I think it's an okay idea. Has there been any consideration made to deleting old accounts that haven't been used in the past couple of years? Seems like that is the source for many of the stolen accounts.

Share this post


Link to post
Share on other sites

Just delete them as they become a problem, or implement a more stringent password policy (like 8 character minimum or a letter/# combo).

Share this post


Link to post
Share on other sites

Deleting old accounts will speed things up around here as well...not by a whole ton, mind you, but they do take up bandwith that might as well be sued for something else.

 

Have fun taking on THAT endeavor...it was bad enough at the Pit where we haven't had a fraction of what this place has.

Share this post


Link to post
Share on other sites
Guest Kesh

If you kids didn't publicly announce this, you could have stopped this. But, too late.

 

Go ahead and inconvenience every poster though. :)

Share this post


Link to post
Share on other sites

http://forums.invisionpower.com/lofiversio...hp/t166146.html

Above is a link to some post about IPBs password security algorithms in 2005. Back then, these are near impossible to break. Today, its near impossible (by the known methods at least).

 

I know a lot of this doesn't make sense, but basically the way currently the password algorithm works, is you have a randomly generated number on your computer stored as a cookie. This is referred to as a "salt" in the MD5 world. When you come to login this randomly generated sequence when combined with your password (in MD5 form) are combined. They equal a sum which must match the servers. So to really break in to an account password, your have to get that salt from your computer. However, as time tells us, there are always security issues with software, generally all the ones that allow people to cause trouble or account hijacks on forums are caused by text in the post. I.e. if you post special codes or commands, etc in a topic, is how most attacks are done. Also, the ONLY way to access the raw MySQL database is to be either on the server itself. This is the only place to get only part of your password in the decoded form.

 

What I tell everyone who brings up passwords is to make up atleast 3 levels of passwords, you can do two or nine, thats up to you. Each level is for certain types of accounts.

  1. Common accounts | i.e. your TSM password is what you would want to use with all the other sites you don't care about...FaceBook, YouTube, etc.
  2. Semi-Secure/Important Accounts | i.e. Your email accounts, (Yahoo, MSN, Gmail, or ISP accounts or web hosting.
  3. Important/Criticial Accounts | Lastly, you use the 3rd level for bank information, and everything to up most importance.

 

Your password in my opinion should ALWAYS be at least 8 characters long and include a number and a symbol. It has been proven, even if a hacker has what they need an 8 character password containing a number and symbol, given the possibilities, will take several thousand times longer to break than a name, or even worst a simple 8 digit number as a password. Also if you follow this rule, you won't have to make up more passwords because this fits the requirements of nearly every other website. i.e. Banks, ISPs, etc

Share this post


Link to post
Share on other sites
Guest Kliqster
http://forums.invisionpower.com/lofiversio...hp/t166146.html

Above is a link to some post about IPBs password security algorithms in 2005. Back then, these are near impossible to break. Today, its near impossible (by the known methods at least).

 

I know a lot of this doesn't make sense, but basically the way currently the password algorithm works, is you have a randomly generated number on your computer stored as a cookie. This is referred to as a "salt" in the MD5 world. When you come to login this randomly generated sequence when combined with your password (in MD5 form) are combined. They equal a sum which must match the servers. So to really break in to an account password, your have to get that salt from your computer. However, as time tells us, there are always security issues with software, generally all the ones that allow people to cause trouble or account hijacks on forums are caused by text in the post. I.e. if you post special codes or commands, etc in a topic, is how most attacks are done. Also, the ONLY way to access the raw MySQL database is to be either on the server itself. This is the only place to get only part of your password in the decoded form.

 

What I tell everyone who brings up passwords is to make up atleast 3 levels of passwords, you can do two or nine, thats up to you. Each level is for certain types of accounts.

  1. Common accounts | i.e. your TSM password is what you would want to use with all the other sites you don't care about...FaceBook, YouTube, etc.
  2. Semi-Secure/Important Accounts | i.e. Your email accounts, (Yahoo, MSN, Gmail, or ISP accounts or web hosting.
  3. Important/Criticial Accounts | Lastly, you use the 3rd level for bank information, and everything to up most importance.

 

Your password in my opinion should ALWAYS be at least 8 characters long and include a number and a symbol. It has been proven, even if a hacker has what they need an 8 character password containing a number and symbol, given the possibilities, will take several thousand times longer to break than a name, or even worst a simple 8 digit number as a password. Also if you follow this rule, you won't have to make up more passwords because this fits the requirements of nearly every other website. i.e. Banks, ISPs, etc

 

Just a small correction. The salt (which is a combination of letters, numbers and symbols) isn't stored in a cookie on the user's PC, it's stored in the database in plain text. The hash generated from the result of combining the salt and the user's password is also stored.

 

The only thing that is stored in a cookie is the hash of the user's actual password, and while it could possibly be stolen using XSS it's useless without the salt.

Share this post


Link to post
Share on other sites

Interesting information. I looked in my cookies and wasn't able to find a hash that matched whats stored on the server. However if I give you guys a hash & salt anyone thing they can break the code? I tried with a few tools & unless your password is numbers only or a single word in the dictionary you can forget trying to find it.

Share this post


Link to post
Share on other sites

Any other orders while im in the kitchen?

Share this post


Link to post
Share on other sites
Guest Kliqster
Interesting information. I looked in my cookies and wasn't able to find a hash that matched whats stored on the server. However if I give you guys a hash & salt anyone thing they can break the code? I tried with a few tools & unless your password is numbers only or a single word in the dictionary you can forget trying to find it.

 

No that's right, the user's password hash isn't stored on the server any more, only the hash of the salt and password mixed together.

 

The actual hash stored on the server (in the ibf_members_converge table, the field named converge_pass_hash) is generated in the following manner:

 

md5( md5( $salt ) . $md5_once_password )

 

$salt being the plain text version of the user's randomly generated salt (also stored in the ibf_members_converge table), and $md5_once_password being the MD5 hash of the user's actual password (stored in cookies only).

Share this post


Link to post
Share on other sites

Ok, so even with access to the database, you couldn't find members passwords, is that correct? You need a combination of the hash in their cookie & whats on the server.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×