being an it geek i have allways used different passwords for all things of importance e.g accounts with admin access etc.

what most dont realise is that the poeple who own/run forums can retrieve a users password if they know how to open up the correct table and extract the data.

I suspect the attack was from a person that had full access to another forum database to extract the password that chris used. unfortunatly chris's password was the same on all forums and unfortunatly on this forum it was an admin account.

Not actually true. Most systems use a forward encryption system to ensure passwords are not stored in clear text. The only way to recover would be by brute force, trying every combination, but that could take weeks or even months.

Would that apply to all systems, though, even if they were quite old?

Pretty much every system I've used in the last 10 years does it that way, it's not exactly new technology! In fact, I say 'pretty much', but I can't think of a single exception.

There is at least one forum i'm on that doesn't use the new tech. But yes most of them do encrypt the info.

i have done a lot of work on sql databases in my time and the encryptions are not hard to get around if you know what you are doing. ;)

i run a phpbb forum and have got users passwords out of the tables and decrypted them when they have forgot thir passwords. takes about 5mins if you have the correct tools.

Sorry, that's utter bollocks, written by someone that can't even spell 'encryption', let alone be expected to understand how it works. The whole point of a forward encryption system, for example md5, is that the only way around it. Unfortunately for you, you're picking on my specialist subject as I'm a security analyst contractor working mainly for the high street banks.

Pretty much any PHP+MySQL web application will use either md5 or SHA1 to secure the passwords in the database. Whilst md5 has been shown to be insecure, it's not a trivial job to crack it, and only works in a limited number of cases. For the level of security required for sites like this, I would personally consider it perfectly secure enough, but I wouldn't want to send my credit card number in public view using it. It's also easier on the CPU than SHA1, so on a busy site it could improve performance.

SHA1 again has weaknesses in a tiny number of cases. I've yet to see a hack attempt on any system I've worked on that relied on a weakness in it, and if they guys I have to defend against don't know how to do it, nobody does. It is heavier on the CPU though, which is why most sites will stick with md5.

In short, if you can decode someone's password in a few minutes then your implementation is either stupidly out of date or has been written by a complete idiot.

now now, play nice...

I think it's best that we leave this topic and move on, what's done is done and this discussion is just raking it all up.

Cheers

Chris :)

I like the new Avitar Chris :cool: :cool: :)

Any news on the release date for the new book ;)