Dealing with Stolen Passwords, please read

[Guest cobainwasmurdered]

Recently there has been a number of old accounts stolen and used to spam the board as well as other attacks. The new admin group has been talking with the big boss (Mike aka Adminbot) and he suggests switching to everyone logging in with their email addy instead of whatever name they are using on the forum to make it harder for the accounts to be stolen.

 

I know that alot of people don't use the same email addys as when they joined so I made this a poll.

[Ted the Poster]

It's easy to find the email address you joined with(and change it, if need be) in your profile. No problem.

[Guest cobainwasmurdered]

We can also inform via pm anyone who needs to know what their email is, and they can change the email account in the control panel.

[Mike]

To change your email do the following: Click MY CONTROLS (top right of the forums) --> Look for Change Email Address (on the left side menu, under options) --> here it will display your current email and also give you a chance to change your email. If you change it, you will have to confirm it by clicking a link in the email it sends you.

[Cheech Tremendous]

I think it's an okay idea. Has there been any consideration made to deleting old accounts that haven't been used in the past couple of years? Seems like that is the source for many of the stolen accounts.

[Guest CWMisanadmin]

we're looking into it.

[MrRant]

Just delete them as they become a problem, or implement a more stringent password policy (like 8 character minimum or a letter/# combo).

[Twisted Intestine]

But then the hackers will not only get our TSM account but also have access to our email?

 

Edit: Nevermind, thats only if we use the same password.

[Dandy]

Not unless you use the same password for your email password and they randomly guess your email login.

[Twisted Intestine]

I hear Leenas pretty good at randomly guessing. I don't trust it.

[Black Lushus]

Deleting old accounts will speed things up around here as well...not by a whole ton, mind you, but they do take up bandwith that might as well be sued for something else.

 

Have fun taking on THAT endeavor...it was bad enough at the Pit where we haven't had a fraction of what this place has.

[The Niggardly King]

I happen to use the same password for everything and I have no problems

[Guest Kesh]

If you kids didn't publicly announce this, you could have stopped this. But, too late.

 

Go ahead and inconvenience every poster though.

[Mike]

http://forums.invisionpower.com/lofiversio...hp/t166146.html

Above is a link to some post about IPBs password security algorithms in 2005. Back then, these are near impossible to break. Today, its near impossible (by the known methods at least).

 

I know a lot of this doesn't make sense, but basically the way currently the password algorithm works, is you have a randomly generated number on your computer stored as a cookie. This is referred to as a "salt" in the MD5 world. When you come to login this randomly generated sequence when combined with your password (in MD5 form) are combined. They equal a sum which must match the servers. So to really break in to an account password, your have to get that salt from your computer. However, as time tells us, there are always security issues with software, generally all the ones that allow people to cause trouble or account hijacks on forums are caused by text in the post. I.e. if you post special codes or commands, etc in a topic, is how most attacks are done. Also, the ONLY way to access the raw MySQL database is to be either on the server itself. This is the only place to get only part of your password in the decoded form.

 

What I tell everyone who brings up passwords is to make up atleast 3 levels of passwords, you can do two or nine, thats up to you. Each level is for certain types of accounts.

1. Common accounts | i.e. your TSM password is what you would want to use with all the other sites you don't care about...FaceBook, YouTube, etc.
2. Semi-Secure/Important Accounts | i.e. Your email accounts, (Yahoo, MSN, Gmail, or ISP accounts or web hosting.
3. Important/Criticial Accounts | Lastly, you use the 3rd level for bank information, and everything to up most importance.

 

Your password in my opinion should ALWAYS be at least 8 characters long and include a number and a symbol. It has been proven, even if a hacker has what they need an 8 character password containing a number and symbol, given the possibilities, will take several thousand times longer to break than a name, or even worst a simple 8 digit number as a password. Also if you follow this rule, you won't have to make up more passwords because this fits the requirements of nearly every other website. i.e. Banks, ISPs, etc

[The Niggardly King]

what

[Guest Kliqster]

http://forums.invisionpower.com/lofiversio...hp/t166146.html

Above is a link to some post about IPBs password security algorithms in 2005. Back then, these are near impossible to break. Today, its near impossible (by the known methods at least).

 

I know a lot of this doesn't make sense, but basically the way currently the password algorithm works, is you have a randomly generated number on your computer stored as a cookie. This is referred to as a "salt" in the MD5 world. When you come to login this randomly generated sequence when combined with your password (in MD5 form) are combined. They equal a sum which must match the servers. So to really break in to an account password, your have to get that salt from your computer. However, as time tells us, there are always security issues with software, generally all the ones that allow people to cause trouble or account hijacks on forums are caused by text in the post. I.e. if you post special codes or commands, etc in a topic, is how most attacks are done. Also, the ONLY way to access the raw MySQL database is to be either on the server itself. This is the only place to get only part of your password in the decoded form.

 

What I tell everyone who brings up passwords is to make up atleast 3 levels of passwords, you can do two or nine, thats up to you. Each level is for certain types of accounts.

1. Common accounts | i.e. your TSM password is what you would want to use with all the other sites you don't care about...FaceBook, YouTube, etc.
2. Semi-Secure/Important Accounts | i.e. Your email accounts, (Yahoo, MSN, Gmail, or ISP accounts or web hosting.
3. Important/Criticial Accounts | Lastly, you use the 3rd level for bank information, and everything to up most importance.

 

Your password in my opinion should ALWAYS be at least 8 characters long and include a number and a symbol. It has been proven, even if a hacker has what they need an 8 character password containing a number and symbol, given the possibilities, will take several thousand times longer to break than a name, or even worst a simple 8 digit number as a password. Also if you follow this rule, you won't have to make up more passwords because this fits the requirements of nearly every other website. i.e. Banks, ISPs, etc

 

Just a small correction. The salt (which is a combination of letters, numbers and symbols) isn't stored in a cookie on the user's PC, it's stored in the database in plain text. The hash generated from the result of combining the salt and the user's password is also stored.

 

The only thing that is stored in a cookie is the hash of the user's actual password, and while it could possibly be stolen using XSS it's useless without the salt.

[DrVenkman PhD]

Something I've wondered - do admins have a master list of passwords or is that hidden even from them?

[Black Lushus]

yeah, I was going to say, we don't have that sort of access at the Pit. If anyone loses their password, all i can do is give them a new one.

[DrVenkman PhD]

Ok, that's what I assumed. Good to know (and I guess I can change my password at The Pit now that I know Lushus won't use it to hack attack me).

[Mike]

Interesting information. I looked in my cookies and wasn't able to find a hash that matched whats stored on the server. However if I give you guys a hash & salt anyone thing they can break the code? I tried with a few tools & unless your password is numbers only or a single word in the dictionary you can forget trying to find it.

[Mike]

http://www.bigroom.co.uk/blog/php-password-security

The above article is interesting for those who are interested in this matter. Regarding access to the actual database on the server, I am the only one with access to the actual database, not all the admins or moderators.

[nl5xsk1]

All your password are belong to us.

[The Niggardly King]

Hash & salt, you making hash browns in this bitch? I'll take a plate, Adminbot.

[Mike]

Any other orders while im in the kitchen?

[Guest Kliqster]

Interesting information. I looked in my cookies and wasn't able to find a hash that matched whats stored on the server. However if I give you guys a hash & salt anyone thing they can break the code? I tried with a few tools & unless your password is numbers only or a single word in the dictionary you can forget trying to find it.

 

No that's right, the user's password hash isn't stored on the server any more, only the hash of the salt and password mixed together.

 

The actual hash stored on the server (in the ibf_members_converge table, the field named converge_pass_hash) is generated in the following manner:

 

md5( md5( $salt ) . $md5_once_password )

 

$salt being the plain text version of the user's randomly generated salt (also stored in the ibf_members_converge table), and $md5_once_password being the MD5 hash of the user's actual password (stored in cookies only).

[Mike]

Ok, so even with access to the database, you couldn't find members passwords, is that correct? You need a combination of the hash in their cookie & whats on the server.

[Slayer]

hash

salt

cookies

 

Message boarding really whets my appetite

[Dandy]

Plus there is a server to bring it all to you.

 

(Sorry for Stocktoning your post.)

[Black Lushus]

I think that was more Marbury-ing his post.

[Dandy]

I didn't hog the ball and rape a girl. Not this time.