BOB: Business Objects Board
Not endorsed by or affiliated with SAP

Register | Login 

Sunset Ride 
Sunset Ride 

BOB has retired moved! Our current platform (the one you are reading right now) is over 18 years old. Rather than continue here, the community has moved to a new software platform! We are excited about the move and hope that you'll come with us.

The new community URL is

User accounts have not been converted. In order to participate on the new platform you will need to create a new account. Existing posts have been retroactively assigned to your user name, but are associated with an anonymous account. No personal information (email address and so on) has been transferred to the new platform.

If you have any questions, the "About BOB" forum will remain open for the remainder of 2020, at which point it will be replaced by a static page directing folks to the new community.

Thank you for your support and participation for the past 18 years.

Public Service Announcement: Password Security

Search this topic... | Search About BOB... | Search Box
Register or Login to Post    Forum Index -> About BOB  Previous TopicPrint TopicNext Topic
Author Message
Site Administrator
Site Administrator

Joined: 06 Jun 2002

Posts: 1253
Location: I Live Here

PostPosted: Fri Feb 13, 2009 9:49 am 
Post subject: Public Service Announcement: Password Security

Hi, you may or may not know (or care) that BOB is run using software from the phpBB Group. Recently their web site ( was hacked due to an exploit in a different software package, and their entire user database was downloaded and posted on the Internet. How does this affect you?

Well in one sense it doesn't. We're not running the other package that was the source of the security hole here. In fact, we're not running anything but phpbb2. The version we're running is up to date. However, the reason was hacked was the exploit was discovered and used before it was announced, which is called a "zero day" exploit because the team had zero days to prepare and fix their server.

At the same time this was going on, another site running phpbb2 (and a few other things) was also hacked by some unknown vector. The site remains offline while investigations continue. The attacker was once again (once they uploaded their backdoor / toolkit to the server) able to get into the database and do whatever they wanted. Ultimately the dropped the entire thing.

While the chances are slim, that could happen to us. So what does this mean?

From a server perspective, we have code backups that were taken prior to and after the last code upgrade. We have backups downloaded to an off-site RAID array every night. In that sense the maximum exposure we have (assuming we can find and close the hole used by the attacker quickly) is 24 hours of activity.

What about you and your information?

phpBB2 uses the md5() hashing algorithm to store passwords. The passwords are hashed rather than encrypted, which is significant in that hashes are one-way functions while encryption is a two-way function. Encryption is meant to be reversed. Hashing is not. But people are quite fond of passwords and often use the same one on more than one site. People are also less creative when it comes to remembering passwords; it's much easier to remember that "Fluffy" was the name of your first pet than remember that weird password like "x&!34w09*la?" instead. Yet "Fluffy" is what is called a dictionary word and there are tables on the Internet that allow an attacker to take a password hash and match it against all known dictionary words and try to find a match. Once they find a match, they can do a reverse-lookup and figure out your password.

We are investigating an upgrade to our password hashing algorithm. However, while that process is underway, we strongly encourage you to do several things.

First, and most important, do not use a password on BOB that you use anywhere else. Every site you visit on the web should have a unique password. That way if a database (ours or someone else's) is compromised, it's only that site information that is at risk.

Second, if you are using a "Fluffy" style password, please consider changing it right away. Even a mix of upper and lower case letters like "FlUfFy" makes the password much harder to match. Adding just one special symbol "fluffy!" also affects the hash and makes the password harder to reveal.

Third, consider using a throw-away email address for joining online sites like BOB. Many of you use your work email addresses and that's certainly fine. However, if the BOB user database is ever exposed, that will almost certainly result in your email address being added to many spammer databases. It might be easier to switch to something like a yahoo or hotmail account. It would be even better if the email address was only used for BOB, so if it's every compromised you can simply drop it and move on to the next option. If you own a web domain, you quite frequently can set up "unlimited" email addresses. Setting up something like would allow you to have an email address unique to this site that you can throw away.

Last, be very careful about posting anything private on the web. One of the topics in a private forum at included personal phone numbers of various team members. That topic was ultimately posted in public. One of the strongest lessons about Internet use that I remember comes from the email signature of the founder of the BUSOB-L mailling list. He wrote it over ten years ago, and it's still as appropriate today.
Treat anything you write on the Internet as public. Because it could be.

There are nasty people out there, be careful, and be safe. Thanks.

It is not enough for a handful of experts to attempt the solution of a problem, to solve it and then to apply it. The restriction of knowledge to an elite group destroys the spirit of society and leads to its intellectual impoverishment.
-- Albert Einstein
Back to top
Nick Daniels
Forum Aficionado
Forum Aficionado

Joined: 15 Aug 2002

Posts: 14220
Location: England

PostPosted: Fri Feb 13, 2009 1:45 pm 
Post subject: Re: Public Service Announcement: Password Security

It is worth mentioning that a small minority of people use an email address as their username. I've just seen one today and its not a good idea!
Back to top
Dave Rathbun
Forum Advocate
Forum Advocate

Joined: 06 Jun 2002

Posts: 22111
Location: Dallas, Texas

PostPosted: Fri Feb 13, 2009 2:08 pm 
Post subject: Re: Public Service Announcement: Password Security

Nick, there are different schools of thought on that. I don't envision creating a rule that says you cannot use an email address for a username because often that's the only thing a person has that they can remember that is also unique.

But you should never use an email address or username as part of your password. icon_smile.gif

Dave's Adventures in Business Intelligence Image link

Latest Blog Posts
• 2019-09-19 Stephen Few Blog Post on Multivariate Visualization
• 2019-02-11 Update on Query Banding
• 2018-10-19 BI Evolution
Back to top
Mitra Moini
Forum Associate
Forum Associate

Joined: 31 Aug 2002

Posts: 714
Location: In front of my laptop!

PostPosted: Tue Feb 17, 2009 5:57 pm 
Post subject: Re: Public Service Announcement: Password Security

Thanks for letting us know Dave.

Back to top
Forum Fanatic
Forum Fanatic

Joined: 12 May 2008
Posts: 6573

PostPosted: Wed Feb 18, 2009 1:08 am 
Post subject: Re: Public Service Announcement: Password Security

Done and thanks!
Search is your friend.
I can do all things through Christ who strengthens me. Philippians 4 : 13
God is your protective shade! Wanna read about Your protective shade?!
Back to top
Display posts from previous:   
Register or Login to Post    Forum Index -> About BOB  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT - 5 Hours
Jump to:  

Index | About | FAQ | RAG | Privacy | Search |  Register |  Login 

Not endorsed by or affiliated with SAP
Powered by phpBB © phpBB Group
Generated in 0.0293 seconds using 17 queries. (SQL 0.0025 Parse 0.0009 Other 0.0258)
CCBot/2.0 (
Hosted by | Terms of Service
phpBB Customizations by the
Shameless plug for Moments of Light Logo