Forum is not using shadow passwords?

(previously 'DEVELOPER') Private forum for registered community members. To register, please visit www.prison-architect.com/register.

Moderator: NBJeff

cstephe
level0
Posts: 5
Joined: Fri Nov 16, 2012 12:53 am

Forum is not using shadow passwords?

Postby cstephe » Fri Nov 16, 2012 3:14 pm

When I got my forum registration email it sent me my user name and password in plain text. Normally this means

A. My password was just sent over the internet in plain text.
B. The site that sent it has little to no protection on my password.

Whats the deal? Even if you encrypt there is no reason to need to store a password
User avatar
koshensky
level3
level3
Posts: 407
Joined: Tue Dec 27, 2011 7:57 pm
Location: Cornwall

Postby koshensky » Fri Nov 16, 2012 3:37 pm

Probably the former. Of course the forum encrypts your password, probably in md5 given that these are fairly old forums, but that's not to say it doesn't just call the mail protocol before it does so, in order to let you know what it was that you wrote down. This is just a thing that phpBB forums do.

If it's a problem, change it.
cstephe
level0
Posts: 5
Joined: Fri Nov 16, 2012 12:53 am

Postby cstephe » Fri Nov 16, 2012 3:42 pm

Nah i used a throw away password just in case, but a development company should know better.
User avatar
KingOfZeal
level1
level1
Posts: 34
Joined: Mon Mar 07, 2005 7:02 pm
Location: Behind you

Postby KingOfZeal » Fri Nov 16, 2012 11:55 pm

I'm fairly certain kos is correct -- it calls the mail handler before encrypting it to the database. I do know for certain the password at the DB is encrypted (phpBB isn't exactly new, I've used it before personally). As I recall, sending the password is just an option they configured at startup.

Besides, if you followed 'best practices' for online browsing, you wouldn't use the same password for different sites, effectively limiting your area of attack to Introversion-related services.

And to be completely fair, these forums WERE set up some time ago, when plaintext/encryption options weren't as high on the list of things to consider, and were left up to each implementation.
User avatar
paktsardines
level5
level5
Posts: 1752
Joined: Mon Oct 01, 2012 11:10 am
Location: Australia

Postby paktsardines » Sat Nov 17, 2012 2:19 am

I think you mean SSL encrypted rather than shadow passwords per se.

Everytime you log into the bug tracker it uses 'basic' authenication, which means everything is transmitted as plaintext. Similarly, almost certainly it's the same case with these forums.

Having hashed (or 'shadowed') passwords on the server helps a bit, but as the passwords have already been transmitted in plaintext it's like using your finger to block off a hole in a colander.

So, yes, that's why I have different passwords for every server I connect to, and change them at least yearly (monthly is better). Even if the password is intercepted, there's not much they can do with it (except post annoying messages here, but that tends to happen anyway :).

I'd link to a handy in-house bit of software I use for managing passwords, but that'd be spamming. :)
Last edited by paktsardines on Sun Nov 18, 2012 8:35 pm, edited 1 time in total.
User avatar
koshensky
level3
level3
Posts: 407
Joined: Tue Dec 27, 2011 7:57 pm
Location: Cornwall

Postby koshensky » Sat Nov 17, 2012 2:47 am

paktsardines wrote:I think you mean SSL encrypted rather than shadow passwords per se.

Everytime you log into the bug tracker it uses 'basic' authenication, which means everything is transmitted as plaintext. Similarly, almost certainly it's the same case with these forums.

Having encrypted (or 'shadowed') passwords on the server helps a bit, but as the passwords have already been transmitted in plaintext it's like using your finger to block off a hole in a colander.

So, yes, that's why I have different passwords for every server I connect to, and change them at least yearly (monthly is better). Even if the password is intercepted, there's not much they can do with it (except post annoying messages here, but that tends to happen anyway :).

I'd link to a handy in-house bit of software I use for managing passwords, but that'd be spamming. :)


Hang on guys, this is far too intelligent a post... I think Paktsardines has been hacked...
User avatar
paktsardines
level5
level5
Posts: 1752
Joined: Mon Oct 01, 2012 11:10 am
Location: Australia

Postby paktsardines » Sat Nov 17, 2012 3:05 am

Error 1337: Unrecognised member.

power down.





:wink:
User avatar
paktsardines
level5
level5
Posts: 1752
Joined: Mon Oct 01, 2012 11:10 am
Location: Australia

Postby paktsardines » Sat Nov 17, 2012 3:17 am

powering up...


Oops, forgot to add. These days password shadowing is of little to no use. Online tools that use clusters of GPUS to crack hashes are stunningly fast. They can extract any hashed [up to] 10 digit password almost instantly. Longer passwords take barely extra time.

This means that even if all passwords are hashed, it'll take a few minutes for any noob to unhash them again. Quite honestly, you may as well store them in plain text.

What _really_ matters is how well the server is secured - how well you stop people from getting to the password files in the first place.
Last edited by paktsardines on Sat Nov 17, 2012 3:20 am, edited 1 time in total.
cstephe
level0
Posts: 5
Joined: Fri Nov 16, 2012 12:53 am

Postby cstephe » Sat Nov 17, 2012 3:19 am

I did mean a one way hash version should be stored. In case of the server getting hacked they can't undo the hash to get the original. You are right though they would need to also SSL the login too. I also agree this is probably not the forum for this discussion. pretty funny though. thanks guys for listening to my complaint, maybe that can be a new prisoner complaint.
cstephe
level0
Posts: 5
Joined: Fri Nov 16, 2012 12:53 am

Postby cstephe » Sat Nov 17, 2012 3:21 am

ok you got me interested again. Is that true Koshensky, the Hash shouldn't provide enough information to be able to recover it. It's been awhile since my class on it though.
cstephe
level0
Posts: 5
Joined: Fri Nov 16, 2012 12:53 am

Postby cstephe » Sat Nov 17, 2012 3:24 am

Oh I see they brute force every dictionary word until they get a match for the hash.
User avatar
frenchfrog
level5
level5
Posts: 2572
Joined: Sun Sep 22, 2002 7:11 pm
Location: Quebec

Postby frenchfrog » Sat Nov 17, 2012 4:43 am

The way most of the rapid cracking of passwords is done with the help of rainbow tables, pre-calculated tables helping in cracking of passwords.

Knowing this you can salt your passwords, this means processing each password with a different set of random bits before hashing it. So in your database, you store the random bits (salt) and the hashed password. Now you may ask, what is the point? The cracker can easily take a password he want to try, apply the random bits and then hash it. That's true but he cannot use his rainbow tables anymore, so if he stolen 1000000 passwords, he will need to rebuild is rainbow table 1000000 times or use a pure brute force algorithm. Which will slow him down considerably if he want to crack the 1000000 passwords.

On the other hand, if the cracker only wants the password of the site owner, it still lengthen the cracking process but the cracker will probably be successful in his endeavor.

Knowing this, you can chose a different hashing algorithm. Instead of using a single pass of md5 or sha256 or whatever, which are very fast algorithms. You can do multiple passes of the previous fast algorithms, say 1000 times or more. Again what is the point? For the site operator the different will be minimal, he only needs to encrypt the password once to verify login credentials. But for the cracker, in combination with salting (which render the rainbow table useless), will force the calculation of tons of possibilities which are each 1000 time slower to compute. Your passwords are now safer.

Further reading:
http://en.wikipedia.org/wiki/Salt_(cryptography) (EDIT: broken by this obsolete forum)
http://en.wikipedia.org/wiki/Rainbow_table
http://en.wikipedia.org/wiki/PBKDF2

--------------

For storing password I use the very good Open Source KeePass Password Safe
User avatar
paktsardines
level5
level5
Posts: 1752
Joined: Mon Oct 01, 2012 11:10 am
Location: Australia

Postby paktsardines » Sat Nov 17, 2012 6:26 am

Oh I see they brute force every dictionary word until they get a match for the hash.


Not quite. The algorithms typically start by looking at common dictionary words (which is why everyone emphasises strong passwords), but they will also do exhaustive matching (trying every combination of every character). I recently had a SHA512 hash of a very strong 12 character password with upper/lowercase letters 4 digits and 3 symbols (^, &, !,% etc) and it was cracked in under a minute by these systems.


Also,
I did mean a one way hash version should be stored.

Needless to say, one-way hasing is of limited benefit if the password isn't encrypted during transmission. :P


Also 2
For storing password I use the very good...

I do not recommend the use of any password manager that protects by using a stored master password on any device, no matter how well encrypted. This includes browser's that remember passwords, password wallets and the like. Once it is cracked the user has access to all the eggs in your basket.
User avatar
frenchfrog
level5
level5
Posts: 2572
Joined: Sun Sep 22, 2002 7:11 pm
Location: Quebec

Postby frenchfrog » Sat Nov 17, 2012 4:54 pm

For storing password I use the very good...

I do not recommend the use of any password manager that protects by using a stored master password on any device, no matter how well encrypted. This includes browser's that remember passwords, password wallets and the like. Once it is cracked the user has access to all the eggs in your basket.


Security is always about trade-offs, if you want different passwords on every sites you go and change them regularly, you almost have no other choices but to write them down somewhere. Better do it in a secure way.
User avatar
paktsardines
level5
level5
Posts: 1752
Joined: Mon Oct 01, 2012 11:10 am
Location: Australia

Postby paktsardines » Sun Nov 18, 2012 2:32 am

I wasn't going to link to products here but as someone already has, WhimKeeper doesn't store any passwords anywhere:

www.whimit.com.au/downloads.html

Return to “Community Members”

Who is online

Users browsing this forum: No registered users and 1 guest