Game:

The Spam Club

» The Spam Club - Announcements - Important Stuff - Password Security Update
ReplyNew TopicNew Poll

Password Security Update

Posted at 16:54 on December 1st, 2006 | Quote | Edit | Delete
Avatar
Admin
Reborn Gumby
Posts: 8938
I've updated the script for enhanced password security. When I first started the Spam Board, the MD5 hash was already on the decline, but still ok. Nowadays, it's completely broken and it doesn't offer any real security anymore, so now something better is used (along with several other improvements for the passwords).

The downside is that your old passwords won't work anymore. Please use the 'Lost Password' function in the top menu to have a new password generated and sent to you. In case an outdated e-mail address is listed in the database, please contact me directly. After receiving your new password, you can of course change it to anything you like (including your old password) again by editing your profile.

Last, but not least, a note on version numbers. After rewriting much of the SQL queries (see last announcement), this has gone too far from what I wanted to do with version 5. So I'm demoting this script to the previously skipped version 4. More honest anyway.

Ah, yes, and it would be nice if one or two people could just reply so that I can see they succeeded in getting their new passwords.
-----
Now you see the violence inherent in the system!
-----
Edited by Mr Creosote at 17:35 on December 1st, 2006
Posted at 20:43 on December 1st, 2006 | Quote | Edit | Delete
Avatar
Member
Retired Gumby
Posts: 970
I had no problems getting and using the new password.
Posted at 12:49 on December 3rd, 2006 | Quote | Edit | Delete
Avatar
Member
Prof Gumby
Posts: 607
A new password was e-mailed and it works, but when I try to change it to anything else in my profile I get "Error: Something is wrong with the input."
-----
"One Very Important Thought"
Posted at 12:54 on December 3rd, 2006 | Quote | Edit | Delete
Avatar
Admin
Reborn Gumby
Posts: 8938
Can you try again? I actually think it's related to your avatar, not the password.
-----
Now you see the violence inherent in the system!
Posted at 13:02 on December 3rd, 2006 | Quote | Edit | Delete
Avatar
Member
Prof Gumby
Posts: 607
Works now!
-----
"One Very Important Thought"
Posted at 13:03 on December 3rd, 2006 | Quote | Edit | Delete
Avatar
Admin
Reborn Gumby
Posts: 8938
Good :)
-----
Now you see the violence inherent in the system!
Posted at 12:12 on December 4th, 2006 | Quote | Edit | Delete
Avatar
Member
Retired Gumby
Posts: 716
Replying here doesn't neccesarily mean anything. I, for example, was already logged in. :p

On the other hand, I do need my email address changed before I can send for the new password (see your private messages for details).
-----
At the end of the day, you're left with a bent fork & a pissed off rhino.
-----
Edited by Cypherswipe at 12:26 on December 4th, 2006
Posted at 12:32 on December 4th, 2006 | Quote | Edit | Delete
Avatar
Admin
Reborn Gumby
Posts: 8938
I changed your mail address as requested.

Quote:
Replying here doesn't neccesarily mean anything. I, for example, was already logged in

Looks like you found a bug there. I'll look into this. I assume you ticked the 'remember' checkbox when logging in initially?
-----
Now you see the violence inherent in the system!
-----
Edited by Mr Creosote at 12:38 on December 4th, 2006
Posted at 12:53 on December 4th, 2006 | Quote | Edit | Delete
Avatar
Member
Retired Gumby
Posts: 716
Of course, I despise having to re-login every friggin time I return to a site. Since I don't use public computers, security really isn't an issue for me.


Got new password, set it back to my old password, logged out/back in, everything seems to work fine.
-----
At the end of the day, you're left with a bent fork & a pissed off rhino.
-----
Edited by Cypherswipe at 12:55 on December 4th, 2006
Posted at 13:06 on December 4th, 2006 | Quote | Edit | Delete
Avatar
Admin
Reborn Gumby
Posts: 8938
Quote:
Geschrieben von Cypherswipe um 14:53 am December 4th, 2006:

Of course, I despise having to re-login every friggin time I return to a site. Since I don't use public computers, security really isn't an issue for me.

You're overlooking one issue: With these settings, the password is saved in a cookie. Cookies are sent to the server each time you call a page of the forum. Since the forum isn't accessable via SSL, that is done in plaintext. Of course, the contents of the cookie are encrypted with a secret key, so nobody should be able to get your password per se (eventually, every encryption can be broken, however, it shouldn't be feasable to do so), but even the encrypted contents of the cookie can be used as a token to impersonate you. Only on this board, of course, and only if someone actually intercepts the traffic (chances are extremely low unless the attacker is sitting on a node very near to you). So security is always an issue.

Having said all that, I'm using that option, too. At least on my home computer, not at university or at work. It's a tradeoff between security and convenience, and since I'm aware of the potential risks, it's a chance I'm willing to take.

Oh, and last, but not least, this is the same on all forums I know. In many cases, it's even significantly worse (passwords being stored in plaintext in a cookie, for example).
-----
Now you see the violence inherent in the system!
Posted at 13:26 on December 4th, 2006 | Quote | Edit | Delete
Avatar
Member
Retired Gumby
Posts: 716
True, but as you said, it depends on someone A) intercepting traffic on the specific site in question, B) choosing me out of all the available members to hack, and C) taking the time to decrypt the key. Few people would go to that much hassle just to be able to post as someone on one single forum. Since the risk is so low, the convenience of not being plagued by login demands is much more important to me than security. If I was on a public computer it'd be different, but since I'm not...
-----
At the end of the day, you're left with a bent fork & a pissed off rhino.
Posted at 14:43 on December 4th, 2006 | Quote | Edit | Delete
Avatar
Admin
Reborn Gumby
Posts: 8938
Strike C from that list. There isn't any serious protection against so-called replay attacks if you're storing your user credentials in a cookie, encrypted or not. The encryption just prevents anyone from seeing the plain password, so if you're using the same password anywhere else, the attacker still won't be able to get into your account there. Your account here is open just by intercepting the encrypted cookie, though.
-----
Now you see the violence inherent in the system!
ReplyNew TopicNew Poll
Powered by Spam Board 5.2.4 © 2007 - 2011 Spam Board Team