Passwords - very important!

[GrimJack]

Please do not use the same password you used on the previous forum software. There is a very high likelihood that the script kiddie who hacked the old software now has all the passwords.

I would seriously suggest changing any other passwords, say, on other forums, where you might have used the same password as well.

 

[IJ.]

GJ: Thanks done!

 

[Loki]

Good idea, I'll have to switch mine.

 

[Supra Blues]

Changed...

 

[DrakeMK3]

I changed mine too. It really screws with your mind though because I've gotten so used to my older password.

 

[Loki]

It's not to bad, if you just keep yourself logged in all the time you don't have to remember it

 

[Shinobu]

Good thinking. Changing mine now... ^^;

 

[suprajjang]

just changed mine. thanks for letting us know

 

[bluemax]

FYI
I couldn't log in using my old password. I had to re-register to log in.
I like the new format.

 

[lanky189]

password... what's that?

 

[Jeff Lange]

Since it was brought up, and I don't really think it's a bad idea to use a different password, passwords in phpBB are stored in MD5 hash format, a one-way hashing technique which cannot be decrypted because it does not even contain the original information.

vBulletin 2.0 used to use the same technique, however in vBulletin 3 they use an even better system. (Double MD5 hashed using a random salt generator, meaning even if 2 people have the same password, it is stored differently in the database.)


I don't really know where I'm going with this, other than to provide confidence that nobody knows your password, and so on.

 

[Ckanderson]

heh......^ NERD!

 

[Jeff Lange]

What can I say?

...


FWIW, I used the double hashing MD5 thing with a 6-character alphanumeric salt in my forum software... vB3 only uses 3 digits, . (Plus, the salt is case sensitive, I used random case as well, which means there's 62 possible characters for each character in the salt).

Okay, I'll shut up now.

 

[Idealsupra]

jeff you need to get out more having said that ...different password is used

and thanks for the getting the forums back up and running so quickly!

 

[encomiast]

Since it was brought up, and I don't really think it's a bad idea to use a different password, passwords in phpBB are stored in MD5 hash format, a one-way hashing technique which cannot be decrypted because it does not even contain the original information.

you're right in saying that the hash can't be decrypted, however, it can be bruteforced. at least simple passwords (e.g. all lowercase, only letters and digits with a total length of up to 6 or 7 characters) can be bruteforced in reasonable time with current PC technology. if the password is even worse a more or less common real-language word, it can be retrieved by running a dictionary attack against the hash, which takes almost no time (read: at most a couple of hours with a real long word list).

and it's also true that vBulletin 3 is using a stronger encryption using a 3-character salt and dual MD5 hashing, which does take considerably more time to bruteforce. however, the salt is stored in the database too, so if someone gets access to the database, he/she gets the salt along with the hash. this means that given that the attacker has access to the databse, simple passwords can still be retrieved in vB3, it just takes some more time than on phpBB due to the double-hashing.
not that I ever did something like this myself....

 

[CPT Furious]

Changed it anyway...

 

[Spiv]

anything can be brute forced, but doing it over the net is either going to draw some some serious attention (or should, since it would be way out of the normal access pattern to get a couple measly passwords, presumably they'd be looking for the admin's stuff instead of our dumb accounts) or the system should stop accepting requests at some point.

And yeah, the MD5 hashing protects the actual password, but if you have enough of the system (collected it all up while hacking the board, unlikely in this case IMO), you can get something just as good: a password that results in the same thing as yours after having come through the MD5 hashing. Except we're not on the same board anymore, so there really isn't any point. The different hashing will make whatever they produce pointless.

I've said it before, vBulletin has its vulnerabilities just like any other board. Thus far infopop impressed me most for security, but if we get a search function as bad as that on this forum someone's going to have a stroke. My best reccomendation: customize your administration tables.

All the same, you should (admins especially) be regularly changing your passwords. Now's a good excuse to do it.

PS: glad to see the fellow geeks coming out of the woodwork

 

[Twigger]

Changed mine also.

 

[encomiast]

anything can be brute forced, but doing it over the net is either going to draw some some serious attention (or should, since it would be way out of the normal access pattern to get a couple measly passwords, presumably they'd be looking for the admin's stuff instead of our dumb accounts) or the system should stop accepting requests at some point.

point is that the attacker who "hacked" the old board might have extracted the password hashes from the database. so there is no need to bruteforce them online.
furthermore, access to the database means that the attacker can simply pick the hash of any account he/she would like to crack, so as you already said, the admins and moderators will most probably be the preferred targets.
moral of the story: IF you had a very strong password (containing mixed upper/lower case as well as numbers, special characters, and more than 6-7 characters long) on the old board, you may continue to use it. if not, and/or you are an admin, the password should IMHO be changed for best practice.
just my 0.02 psi.

 

[Jeff Lange]

Yeah, it'd be a good idea to change it, I was just trying to reassure people that someone doesn't really have their password.