BOB: Business Objects Board
Not endorsed by or affiliated with SAP

Register | Login 

Want to sponsor BOB? 
Want to sponsor BOB? (Opens a new window)  

General Notice: BOB is going to retire...please see details here.
General Notice: No events within the next 45 days.

phpBB passwords


 
Search this topic... | Search About BOB... | Search Box
Register or Login to Post    Forum Index -> About BOB  Previous TopicPrint TopicNext Topic
Author Message
kbrazell
Principal Member
Principal Member



Joined: 19 Aug 2003

Posts: 185
Location: DFW Metroplex (but mobile) I applied to Mars One


flag
PostPosted: Tue Sep 03, 2019 3:47 pm 
Post subject: phpBB passwords

Another big site just go hacked.

https://www.engadget.com/2019/09/03/xkcd-forum-breach-exposes-details-from-over-560-000-user-account/

I'm not sure what method of password storage is used here, but the assumption that some vulnerability in the DB or the webserver may expose data beyond the control of the phpBB software itself may not be out of order.

I have a few spare cycles if throwing bodies at a task like updating an encrypt method and modifying code to allow two password tables to exist (one for users that have not yet updated their PW and another table for users that have updated their PW) might help.

_________________
Kyle Brazell
BOBJ XIr3
Oracle ... 10g, 11g
on HP-UX, AIX, Linux

Web Developer
Oracle ... 11g
on Linux (via OSX)

IoT Developer
Embedded System Programmer
Back to top
Bob
Site Administrator
Site Administrator



Joined: 06 Jun 2002

Posts: 1338
Location: I Live Here



PostPosted: Tue Oct 15, 2019 5:48 pm 
Post subject: Re: phpBB passwords

Any word if phpBB was the vector for the attack, or just the victim? In other words, if they got onto the server somehow and downloaded the database that's different from phpBB being where the vulnerability is.

phpBB3 uses salted passwords. phpBB2 does not, which makes it more vulnerable to dictionary / rainbow attacks once the hashed content is retrieved.

_________________
It is not enough for a handful of experts to attempt the solution of a problem, to solve it and then to apply it. The restriction of knowledge to an elite group destroys the spirit of society and leads to its intellectual impoverishment.
-- Albert Einstein
Back to top
kbrazell
Principal Member
Principal Member



Joined: 19 Aug 2003

Posts: 185
Location: DFW Metroplex (but mobile) I applied to Mars One


flag
PostPosted: Wed Oct 23, 2019 3:30 pm 
Post subject: Re: phpBB passwords

I could find no info about it but there is a post on phpBB forums about it.

I guess the only info to glean from that thread is is that old passwords need to be updated with the latest encryption method.

I guess the way to do that without forcing everything to update their password is to simply add an encryption layer and store the doubly encrypted value instead of the old singly encrypted value.

old way
user enters pw > encrypt it > compare to encrypted to permit or deny access

new way.
encypt old encrypted pw store > new encrypted store
user enters pw > encrypt it > encrypt it again > compare to encrypted to permit or deny access

_________________
Kyle Brazell
BOBJ XIr3
Oracle ... 10g, 11g
on HP-UX, AIX, Linux

Web Developer
Oracle ... 11g
on Linux (via OSX)

IoT Developer
Embedded System Programmer
Back to top
Display posts from previous:   
Register or Login to Post    Forum Index -> About BOB  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT - 5 Hours
 
Jump to:  

Index | About | FAQ | RAG | Privacy | Search |  Register |  Login 

Get community updates via Twitter:

Not endorsed by or affiliated with SAP
Powered by phpBB © phpBB Group
Generated in 0.0344 seconds using 18 queries. (SQL 0.0096 Parse 0.0008 Other 0.0239)
CCBot/2.0 (https://commoncrawl.org/faq/)
Hosted by ForumTopics.com | Terms of Service
phpBB Customizations by the phpBBDoctor.com
Shameless plug for MomentsOfLight.com Moments of Light Logo