BOB: Business Objects Board
Not endorsed by or affiliated with SAP

Register | Login 

Sunset Ride 
Sunset Ride 

BOB has retired moved! Our current platform (the one you are reading right now) is over 18 years old. Rather than continue here, the community has moved to a new software platform! We are excited about the move and hope that you'll come with us.

The new community URL is https://bobj-board.org/.

User accounts have not been converted. In order to participate on the new platform you will need to create a new account. Existing posts have been retroactively assigned to your user name, but are associated with an anonymous account. No personal information (email address and so on) has been transferred to the new platform.

If you have any questions, the "About BOB" forum will remain open for the remainder of 2020, at which point it will be replaced by a static page directing folks to the new community.

Thank you for your support and participation for the past 18 years.

phpBB passwords


 
Search this topic... | Search About BOB... | Search Box
Register or Login to Post    Forum Index -> About BOB  Previous TopicPrint TopicNext Topic
Author Message
kbrazell
Principal Member
Principal Member



Joined: 19 Aug 2003

Posts: 206
Location: DFW Metroplex (but mobile) I applied to Mars One


flag
PostPosted: Tue Sep 03, 2019 3:47 pm 
Post subject: phpBB passwords

Another big site just go hacked.

https://www.engadget.com/2019/09/03/xkcd-forum-breach-exposes-details-from-over-560-000-user-account/

I'm not sure what method of password storage is used here, but the assumption that some vulnerability in the DB or the webserver may expose data beyond the control of the phpBB software itself may not be out of order.

I have a few spare cycles if throwing bodies at a task like updating an encrypt method and modifying code to allow two password tables to exist (one for users that have not yet updated their PW and another table for users that have updated their PW) might help.

_________________
Kyle Brazell
General Contractor
BI Developer.....................BOBJ XIr3, on Oracle 8, 8i, 10g, 11g, with HP-UX, AIX, Linux
IoT Developer
Web Developer
Embedded System Programmer
Back to top
Bob
Site Administrator
Site Administrator



Joined: 06 Jun 2002

Posts: 1253
Location: I Live Here



PostPosted: Tue Oct 15, 2019 5:48 pm 
Post subject: Re: phpBB passwords

Any word if phpBB was the vector for the attack, or just the victim? In other words, if they got onto the server somehow and downloaded the database that's different from phpBB being where the vulnerability is.

phpBB3 uses salted passwords. phpBB2 does not, which makes it more vulnerable to dictionary / rainbow attacks once the hashed content is retrieved.

_________________
It is not enough for a handful of experts to attempt the solution of a problem, to solve it and then to apply it. The restriction of knowledge to an elite group destroys the spirit of society and leads to its intellectual impoverishment.
-- Albert Einstein
Back to top
kbrazell
Principal Member
Principal Member



Joined: 19 Aug 2003

Posts: 206
Location: DFW Metroplex (but mobile) I applied to Mars One


flag
PostPosted: Wed Oct 23, 2019 3:30 pm 
Post subject: Re: phpBB passwords

I could find no info about it but there is a post on phpBB forums about it.

I guess the only info to glean from that thread is is that old passwords need to be updated with the latest encryption method.

I guess the way to do that without forcing everything to update their password is to simply add an encryption layer and store the doubly encrypted value instead of the old singly encrypted value.

old way
user enters pw > encrypt it > compare to encrypted to permit or deny access

new way.
encypt old encrypted pw store > new encrypted store
user enters pw > encrypt it > encrypt it again > compare to encrypted to permit or deny access

_________________
Kyle Brazell
General Contractor
BI Developer.....................BOBJ XIr3, on Oracle 8, 8i, 10g, 11g, with HP-UX, AIX, Linux
IoT Developer
Web Developer
Embedded System Programmer
Back to top
Display posts from previous:   
Register or Login to Post    Forum Index -> About BOB  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT - 5 Hours
 
Jump to:  

Index | About | FAQ | RAG | Privacy | Search |  Register |  Login 

Not endorsed by or affiliated with SAP
Powered by phpBB © phpBB Group
Generated in 0.0267 seconds using 17 queries. (SQL 0.0020 Parse 0.0009 Other 0.0239)
CCBot/2.0 (https://commoncrawl.org/faq/)
Hosted by ForumTopics.com | Terms of Service
phpBB Customizations by the phpBBDoctor.com
Shameless plug for MomentsOfLight.com Moments of Light Logo