Haynes Forums  

Go Back   Haynes Forums > Haynes Roadster Forums > Announcements
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 5th August 2009, 02:31 PM
AshG's Avatar
AshG AshG is offline
Super Moderator
 
Join Date: Jul 2008
Location: Rochester
Posts: 1,882
Default

being an it geek i have allways used different passwords for all things of importance e.g accounts with admin access etc.

what most dont realise is that the poeple who own/run forums can retrieve a users password if they know how to open up the correct table and extract the data.

I suspect the attack was from a person that had full access to another forum database to extract the password that chris used. unfortunatly chris's password was the same on all forums and unfortunatly on this forum it was an admin account.
Reply With Quote
  #12  
Old 6th August 2009, 11:31 PM
thewinker thewinker is offline
Junior Member
 
Join Date: Jul 2009
Posts: 8
Default

Quote:
Originally Posted by AshG View Post
being an it geek i have allways used different passwords for all things of importance e.g accounts with admin access etc.

what most dont realise is that the poeple who own/run forums can retrieve a users password if they know how to open up the correct table and extract the data.
Not actually true. Most systems use a forward encryption system to ensure passwords are not stored in clear text. The only way to recover would be by brute force, trying every combination, but that could take weeks or even months.
Reply With Quote
  #13  
Old 7th August 2009, 08:44 AM
mr henderson mr henderson is offline
Senior Member
 
Join Date: May 2008
Location: Aylesbury
Posts: 364
Default

Quote:
Originally Posted by thewinker View Post
Not actually true. Most systems use a forward encryption system to ensure passwords are not stored in clear text. The only way to recover would be by brute force, trying every combination, but that could take weeks or even months.
Would that apply to all systems, though, even if they were quite old?
Reply With Quote
  #14  
Old 7th August 2009, 11:39 AM
thewinker thewinker is offline
Junior Member
 
Join Date: Jul 2009
Posts: 8
Default

Quote:
Originally Posted by mr henderson View Post
Would that apply to all systems, though, even if they were quite old?
Pretty much every system I've used in the last 10 years does it that way, it's not exactly new technology! In fact, I say 'pretty much', but I can't think of a single exception.
Reply With Quote
  #15  
Old 7th August 2009, 11:50 AM
Land Locked's Avatar
Land Locked Land Locked is offline
Senior Member
 
Join Date: Apr 2009
Location: Johannesburg, Sarf Efrika
Posts: 232
Default

There is at least one forum i'm on that doesn't use the new tech. But yes most of them do encrypt the info.
Reply With Quote
  #16  
Old 7th August 2009, 12:11 PM
AshG's Avatar
AshG AshG is offline
Super Moderator
 
Join Date: Jul 2008
Location: Rochester
Posts: 1,882
Default

i have done a lot of work on sql databases in my time and the encryptions are not hard to get around if you know what you are doing.

i run a phpbb forum and have got users passwords out of the tables and decrypted them when they have forgot thir passwords. takes about 5mins if you have the correct tools.

Last edited by AshG : 7th August 2009 at 01:38 PM.
Reply With Quote
  #17  
Old 7th August 2009, 12:27 PM
thewinker thewinker is offline
Junior Member
 
Join Date: Jul 2009
Posts: 8
Default

Quote:
Originally Posted by AshG View Post
i have done a lot of work on sql databases in my time and the encriptions are not hard to get around if you know what you are doing.

i run a phpbb forum and have got users passwords out of the tables and decrypted them when they have forgot thir passwords. takes about 5mins if you have the correct tools.
Sorry, that's utter bollocks, written by someone that can't even spell 'encryption', let alone be expected to understand how it works. The whole point of a forward encryption system, for example md5, is that the only way around it. Unfortunately for you, you're picking on my specialist subject as I'm a security analyst contractor working mainly for the high street banks.

Pretty much any PHP+MySQL web application will use either md5 or SHA1 to secure the passwords in the database. Whilst md5 has been shown to be insecure, it's not a trivial job to crack it, and only works in a limited number of cases. For the level of security required for sites like this, I would personally consider it perfectly secure enough, but I wouldn't want to send my credit card number in public view using it. It's also easier on the CPU than SHA1, so on a busy site it could improve performance.

SHA1 again has weaknesses in a tiny number of cases. I've yet to see a hack attempt on any system I've worked on that relied on a weakness in it, and if they guys I have to defend against don't know how to do it, nobody does. It is heavier on the CPU though, which is why most sites will stick with md5.

In short, if you can decode someone's password in a few minutes then your implementation is either stupidly out of date or has been written by a complete idiot.

Last edited by thewinker : 7th August 2009 at 01:21 PM.
Reply With Quote
  #18  
Old 7th August 2009, 12:44 PM
jasongray5's Avatar
jasongray5 jasongray5 is offline
Senior Member
 
Join Date: Feb 2008
Location: Western Australia, Home is Devon
Posts: 354
Default

now now, play nice...
Reply With Quote
  #19  
Old 7th August 2009, 01:16 PM
Chris Gibbs's Avatar
Chris Gibbs Chris Gibbs is offline
Senior Member
 
Join Date: Jul 2009
Posts: 168
Default

I think it's best that we leave this topic and move on, what's done is done and this discussion is just raking it all up.

Cheers

Chris
Reply With Quote
  #20  
Old 7th August 2009, 01:23 PM
Bonzo's Avatar
Bonzo Bonzo is offline
Senior Member
 
Join Date: Jul 2007
Location: Cornwall
Posts: 3,321
Default

I like the new Avitar Chris

Any news on the release date for the new book
__________________
I am not a complete idiot...........Some of the parts are missing !!
Ronnie

www.roadster-builders.co.uk
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 07:35 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.