Please do not use the same password you used on the previous forum software. There is a very high likelihood that the script kiddie who hacked the old software now has all the passwords.

I would seriously suggest changing any other passwords, say, on other forums, where you might have used the same password as well.

GJ: Thanks done!

Good idea, I'll have to switch mine.

Changed...

I changed mine too. It really screws with your mind though because I've gotten so used to my older password.

It's not to bad, if you just keep yourself logged in all the time you don't have to remember it :D

Good thinking. Changing mine now... ^^;

just changed mine. thanks for letting us know

FYI
I couldn't log in using my old password. I had to re-register to log in.
I like the new format.

password... what's that?

Since it was brought up, and I don't really think it's a bad idea to use a different password, passwords in phpBB are stored in MD5 hash format, a one-way hashing technique which cannot be decrypted because it does not even contain the original information.

vBulletin 2.0 used to use the same technique, however in vBulletin 3 they use an even better system. (Double MD5 hashed using a random salt generator, meaning even if 2 people have the same password, it is stored differently in the database.)


I don't really know where I'm going with this, other than to provide confidence that nobody knows your password, and so on.

heh......^ NERD! :p

What can I say?

...


FWIW, I used the double hashing MD5 thing with a 6-character alphanumeric salt in my forum software... vB3 only uses 3 digits, :p. (Plus, the salt is case sensitive, I used random case as well, which means there's 62 possible characters for each character in the salt).

Okay, I'll shut up now.

jeff you need to get out more ;) having said that ...different password is used :D

and thanks for the getting the forums back up and running so quickly!

Since it was brought up, and I don't really think it's a bad idea to use a different password, passwords in phpBB are stored in MD5 hash format, a one-way hashing technique which cannot be decrypted because it does not even contain the original information.
you're right in saying that the hash can't be decrypted, however, it can be bruteforced. at least simple passwords (e.g. all lowercase, only letters and digits with a total length of up to 6 or 7 characters) can be bruteforced in reasonable time with current PC technology. if the password is even worse a more or less common real-language word, it can be retrieved by running a dictionary attack against the hash, which takes almost no time (read: at most a couple of hours with a real long word list).

and it's also true that vBulletin 3 is using a stronger encryption using a 3-character salt and dual MD5 hashing, which does take considerably more time to bruteforce. however, the salt is stored in the database too, so if someone gets access to the database, he/she gets the salt along with the hash. this means that given that the attacker has access to the databse, simple passwords can still be retrieved in vB3, it just takes some more time than on phpBB due to the double-hashing.
not that I ever did something like this myself.... :D

Changed it anyway...

anything can be brute forced, but doing it over the net is either going to draw some some serious attention (or should, since it would be way out of the normal access pattern to get a couple measly passwords, presumably they'd be looking for the admin's stuff instead of our dumb accounts) or the system should stop accepting requests at some point.

And yeah, the MD5 hashing protects the actual password, but if you have enough of the system (collected it all up while hacking the board, unlikely in this case IMO), you can get something just as good: a password that results in the same thing as yours after having come through the MD5 hashing. Except we're not on the same board anymore, so there really isn't any point. The different hashing will make whatever they produce pointless.

I've said it before, vBulletin has its vulnerabilities just like any other board. Thus far infopop impressed me most for security, but if we get a search function as bad as that on this forum someone's going to have a stroke. My best reccomendation: customize your administration tables.

All the same, you should (admins especially) be regularly changing your passwords. Now's a good excuse to do it.

PS: glad to see the fellow geeks coming out of the woodwork ;)

Changed mine also.

anything can be brute forced, but doing it over the net is either going to draw some some serious attention (or should, since it would be way out of the normal access pattern to get a couple measly passwords, presumably they'd be looking for the admin's stuff instead of our dumb accounts) or the system should stop accepting requests at some point.
point is that the attacker who "hacked" the old board might have extracted the password hashes from the database. so there is no need to bruteforce them online.
furthermore, access to the database means that the attacker can simply pick the hash of any account he/she would like to crack, so as you already said, the admins and moderators will most probably be the preferred targets.
moral of the story: IF you had a very strong password (containing mixed upper/lower case as well as numbers, special characters, and more than 6-7 characters long) on the old board, you may continue to use it. if not, and/or you are an admin, the password should IMHO be changed for best practice.
just my 0.02 psi.

Yeah, it'd be a good idea to change it, I was just trying to reassure people that someone doesn't really have their password.

well, that's actually the point I was trying to make. actually this guy "phantom" or whatever he calls himself, may have retrieved everybody's board password if he wanted to and if he is clever enough. so I'd strongly recommend that everyone changes his/her password on other places as well, if he/she also used it elsewhere (especially if it was also used for email accounts, PayPal or the like).

BTW, I noticed that you (the admins) seem to be quite busy configuring the new board and putting everything back into place, so if you could use some technical assistance, I'll be glad to help wherever I can....

I think we have everything under control, things are moving along smoothly.

I'm going to start working on the new theme for the site next week. :)

I don't feel overworked, but I can't say the same for Grim or Mike, they'd have to chime in. :)

I'd need some spare time to chime in. :) I'm mostly kidding, I was run off my feet for a couple days, but it's starting to slow down now. I actually had some time to work on the Supra today!

gah! *changed*

okay cool, just changed everything