How does IPB encrypt the database? Is it as good as VB's method?
10 replies to this topic
#1
TCWT
-
- Members
-
- 1,469 posts
Needs Serious Help
Posted 23 March 2009 - 01:26 PM
Webhostingtalk got hacked a couple of days ago. Their database tables were compromised and it's already out there to download.
How does IPB encrypt the database? Is it as good as VB's method?
How does IPB encrypt the database? Is it as good as VB's method?
#2
Matt
-
- IPS Management
-
- 25,680 posts
Meet Jay
Posted 23 March 2009 - 01:28 PM
There is no database encryption. If you mean specifically, passwords: then they are saved as a md5 hash of the plain text password which itself is hashed with a random 5 character salt.
Matthew Mecham ( Twitter • Personal Blog • Flickr )
Invision Power Services, Inc. - C.S.A.
Official IPS Facebook Page
"I love deadlines. I especially like the whooshing sound they make as they go flying by."
-- Douglas Adams (1952 - 2001)
Invision Power Services, Inc. - C.S.A.
Official IPS Facebook Page
"I love deadlines. I especially like the whooshing sound they make as they go flying by."
-- Douglas Adams (1952 - 2001)
#3
TCWT
-
- Members
-
- 1,469 posts
Needs Serious Help
Posted 23 March 2009 - 01:31 PM
Yeah, I meant passwords.
"vBulletin uses a sophisticated hashing algorithm, it uses md5 to hash the passwords once, then adds a salt next to it, and hashes again".
So, IPB encryption is not as strong?
"vBulletin uses a sophisticated hashing algorithm, it uses md5 to hash the passwords once, then adds a salt next to it, and hashes again".
So, IPB encryption is not as strong?
#4
Mark
-
- IPS Staff
-
- 7,723 posts
Needs Life
Posted 23 March 2009 - 01:46 PM
It's almost exactly the same:
md5( md5( password ) . salt )
There is a very slight difference (they clean the password, then hash, we hash then clean) but like I said, essentially the same.
md5( md5( password ) . salt )
There is a very slight difference (they clean the password, then hash, we hash then clean) but like I said, essentially the same.
Mark Wade
Developer
#5
TCWT
-
- Members
-
- 1,469 posts
Needs Serious Help
Posted 23 March 2009 - 01:47 PM
Any way to make it even stronger?
#6
Mark
-
- IPS Staff
-
- 7,723 posts
Needs Life
Posted 23 March 2009 - 01:52 PM
TCWT, on 23 March 2009 - 01:47 PM, said:
Any way to make it even stronger?
If there was we would
Mark Wade
Developer
#7
rct2·com
-
- +Clients
-
- 7,317 posts
Needs Life
Posted 23 March 2009 - 01:59 PM
What's the benefit? If you can read the database, you can read the database. One column in one IPB table that contains encrypted versions of passwords is not going to stop the hackers.
Hackers need to find server login details, and/or the database username and password, to dump the database contents. All the encryption of the passwords in the database does is stop the hackers from knowing every member's password AFTER they have hacked into the database.
Alternatively, hackers need to find out the root admin's password, login to AdminCP, then use SQL Toolbox to dump the data.
If you read that link, the hackers got into the database 'around the back' in the ways I describe, rather than 'from the front' [the vb user interface].
Hackers need to find server login details, and/or the database username and password, to dump the database contents. All the encryption of the passwords in the database does is stop the hackers from knowing every member's password AFTER they have hacked into the database.
Alternatively, hackers need to find out the root admin's password, login to AdminCP, then use SQL Toolbox to dump the data.
If you read that link, the hackers got into the database 'around the back' in the ways I describe, rather than 'from the front' [the vb user interface].
Big Brother is watching you
If you are happy with the help I gave you with Invision Power Board, please click here to say thank you.
If you're a modder and can help me, then please reply to this topic and/or this topic
The golden rule of upgrading is to make sure that you know how to get back to where you came from BEFORE you start going forwards. BACKUP, BACKUP, BACKUP.
If you are happy with the help I gave you with Invision Power Board, please click here to say thank you.
If you're a modder and can help me, then please reply to this topic and/or this topic
The golden rule of upgrading is to make sure that you know how to get back to where you came from BEFORE you start going forwards. BACKUP, BACKUP, BACKUP.
#8
TCWT
-
- Members
-
- 1,469 posts
Needs Serious Help
Posted 23 March 2009 - 02:08 PM
I never said this was going to stop hackers from any attempts. I'm aware they hacked their backup servers containing the database. But, there are other ways of obtaining a database besides logging in with the Admin password to dump them or from ssh.
#9
rct2·com
-
- +Clients
-
- 7,317 posts
Needs Life
Posted 24 March 2009 - 01:33 PM
I didn't say it would stop any attempts either. I think what I ws trying to say was that making the IPB passwords even stronger in the database wasn't really going to make it any more difficult to hack in, because the way they are most likely to hack in to the actual database is not through the board/AdminCP by guessing a members' password.
Previously I have requested that IPB implement password policies in the code to force regular changes, minimum and maximum lengths, exclude passwords that are in a 'dictionary' that IPB can use, no password equal to user name, no password able to be reused for X amount of changes.
My request had the most negative response I think I've seen on these boards.
Previously I have requested that IPB implement password policies in the code to force regular changes, minimum and maximum lengths, exclude passwords that are in a 'dictionary' that IPB can use, no password equal to user name, no password able to be reused for X amount of changes.
My request had the most negative response I think I've seen on these boards.
Big Brother is watching you
If you are happy with the help I gave you with Invision Power Board, please click here to say thank you.
If you're a modder and can help me, then please reply to this topic and/or this topic
The golden rule of upgrading is to make sure that you know how to get back to where you came from BEFORE you start going forwards. BACKUP, BACKUP, BACKUP.
If you are happy with the help I gave you with Invision Power Board, please click here to say thank you.
If you're a modder and can help me, then please reply to this topic and/or this topic
The golden rule of upgrading is to make sure that you know how to get back to where you came from BEFORE you start going forwards. BACKUP, BACKUP, BACKUP.
#10
Connor T
-
- +Clients
-
- 1,474 posts
Needs Serious Help
Posted 24 March 2009 - 01:41 PM
So an RSA or SHA encryption isn't better?
Previously: iBotPeaches // .peaches
#11
bfarber
-
- IPS Management
-
- 24,886 posts
Meet Jay
Posted 24 March 2009 - 01:55 PM
The hackers aren't generally "cracking" the passwords. Changing the encryption method is not likely to make your site any more secure.
Brandon Farber
Developer / Senior Support
If it sounds like fun, it's not allowed on the bus!
Invision Power Services, Inc.
