Jump to content


Photo
* * * - - 3 votes

IP.Board password hashing is no longer secure


  • Please log in to reply
53 replies to this topic

#21 Rimi

Rimi

    Strip Me

  • +Clients
  • 6,121 posts

Posted 26 March 2012 - 03:12 PM

Websites that require a minimum eight characters, a capital letter, a lower case letter, and a special character are evil.
  • bfarber, Cheapy, AndyF and 3 others like this

#22 Ryan H.

Ryan H.

    Watch how I soar.

  • +Clients
  • 3,030 posts

Posted 26 March 2012 - 03:51 PM

Websites that require a minimum eight characters, a capital letter, a lower case letter, and a special character are evil.

No, I totally agree--arbitrary requirements are horrible. ...But they're also more secure.

As far as I can tell, the primary method for mitigating bruteforce attacks is simply to use a cipher that is ... slow. Some mechanism for separating part of the vital data from the database would be an improvement, but as noted earlier, it doesn't seem like there's any method that would actually be infallible. [Any standard location means it's just another thing to pull out, unless you can prevent access to it by any of the means of using PHP in the ACP.]

Ryan Hoerr / "No1 1000"

 

IP.Board 3.4 Resources bullet_star.pngbullet_star.pngbullet_star.pngbullet_star.pngbullet_star.png

App Advanced Tags & Prefixes

App Easy Pages

Skin Graphite

Skin Thoreau


#23 XTF

XTF

    IPB Full Member

  • +Clients
  • 117 posts

Posted 26 March 2012 - 04:01 PM

Websites that require a minimum eight characters, a capital letter, a lower case letter, and a special character are evil.

Except for the special character, what's wrong with the requirement?

One option I'd like to see is for the board to auto-generate a safe password for the user.

#24 Rimi

Rimi

    Strip Me

  • +Clients
  • 6,121 posts

Posted 26 March 2012 - 04:22 PM

Except for the special character, what's wrong with the requirement?

One option I'd like to see is for the board to auto-generate a safe password for the user.

Nothing, just personal preference. I never join sites that have those password requirements unless of course it's a bank or something that actually needs such kind of security.

#25 bfarber

bfarber

    RBT-KS

  • IPS Management
  • 28,654 posts

Posted 27 March 2012 - 08:39 AM

Except for the special character, what's wrong with the requirement?

One option I'd like to see is for the board to auto-generate a safe password for the user.


http://lifehacker.co...sible-gibberish

People can remember pass phrases. People can't remember "aDgghA31X$%1s".
  • Rick L likes this

Brandon Farber
Development Manager / Senior Support

If it sounds like fun, it's not allowed on the bus!

php5_zce_logo_new.gif     

Invision Power Services, Inc.


#26 valendono

valendono

    Advanced Member

  • Members
  • PipPipPipPip
  • 249 posts

Posted 27 March 2012 - 09:11 AM

I am thinking like the way we encrypt the password with keyword, each installation having 1 keyword that encrypted with the domain, let say sha-1 encrypted domain and with that keyword we encrypted the password.

So that possibilities hackers knowing that encrypted domain are 10% :D

just my fifty cents..

Forum:
[N3] Nyit-Nyit.Net (IPB)

Any forum software settings, maintenances, tunnings, Hire me!

My Modifications:
IP.SEO Tag Custom (3.2.x, 3.3.x)
Indowebster Link Media tag (3.2.x, 3.3.x)
Indonesian 1.0 for IPBoard 3.3.x (Language Packs)


#27 XTF

XTF

    IPB Full Member

  • +Clients
  • 117 posts

Posted 27 March 2012 - 12:21 PM

People can remember pass phrases. People can't remember "aDgghA31X$%1s".

You're not supposed to use the same password on multiple sites, so you're also not supposed to remember it.

#28 bfarber

bfarber

    RBT-KS

  • IPS Management
  • 28,654 posts

Posted 27 March 2012 - 02:32 PM

Perhaps in an ideal world. The reality is, most average users do anyways.

Brandon Farber
Development Manager / Senior Support

If it sounds like fun, it's not allowed on the bus!

php5_zce_logo_new.gif     

Invision Power Services, Inc.


#29 Rimi

Rimi

    Strip Me

  • +Clients
  • 6,121 posts

Posted 27 March 2012 - 03:33 PM

You're not supposed to use the same password on multiple sites, so you're also not supposed to remember it.

...whoops.
  • Aiwa likes this

#30 raindog308

raindog308

    Advanced Member

  • +Clients
  • 294 posts

Posted 29 March 2012 - 01:00 AM

Forcing the user to select a good password is the real answer. Certain length, not a dictionary word, certain complexity, etc.

BlackBeltDL.com: Martial arts home study program reviews and discussion forum

#31 XTF

XTF

    IPB Full Member

  • +Clients
  • 117 posts

Posted 29 March 2012 - 10:02 AM

Forcing the user to select a good password is the real answer. Certain length, not a dictionary word, certain complexity, etc.

Qwerty1234? :P

#32 Michael

Michael

    Meet Jay

  • +Clients
  • 19,587 posts

Posted 29 March 2012 - 10:06 AM

I long for the day when we don't have to use passwords anymore, bring on biometrics. I have to keep a spreadsheet of all of my passwords, since so many sites have different rules about them, which sucks from a security standpoint.
  • Feld0 likes this

Contact Me: Email · Facebook · Twitter · Google+


#33 Brett L

Brett L

    Advanced Member

  • Members
  • PipPipPipPip
  • 305 posts

Posted 29 March 2012 - 11:04 AM

I long for the day when we don't have to use passwords anymore, bring on biometrics. I have to keep a spreadsheet of all of my passwords, since so many sites have different rules about them, which sucks from a security standpoint.


Been using it for years. Great chrome plugin. (one for FF is decent too)
https://agilebits.com/onepassword

Allows for backing up to a thumb drive aswell.

#34 Michael

Michael

    Meet Jay

  • +Clients
  • 19,587 posts

Posted 29 March 2012 - 11:20 AM

Yes, I am aware of password storing addons, but I'd rather I kept hold of my passwords myself.

Contact Me: Email · Facebook · Twitter · Google+


#35 Pjohnson

Pjohnson

    IPB Newbie

  • +Clients
  • 9 posts

Posted 29 March 2012 - 01:33 PM

This article explains why bcrypt is strongly preferred to MD5 and other hash functions:
http://codahale.com/...ore-a-password/

#36 raindog308

raindog308

    Advanced Member

  • +Clients
  • 294 posts

Posted 29 March 2012 - 09:54 PM

I long for the day when we don't have to use passwords anymore, bring on biometrics. I have to keep a spreadsheet of all of my passwords, since so many sites have different rules about them, which sucks from a security standpoint.


No thanks. Flaws in other people's hardware become your problems. I can change my password and complexity at will and have a different one for each web site (and really, with free software like PasswordSafe, why not?) I can't change my thumbprint for each web site.
BlackBeltDL.com: Martial arts home study program reviews and discussion forum

#37 raindog308

raindog308

    Advanced Member

  • +Clients
  • 294 posts

Posted 29 March 2012 - 09:55 PM

Nothing, just personal preference. I never join sites that have those password requirements unless of course it's a bank or something that actually needs such kind of security.


Use stronger passwords - problem solved :rofl:
  • Ryan H. likes this
BlackBeltDL.com: Martial arts home study program reviews and discussion forum

#38 Rimi

Rimi

    Strip Me

  • +Clients
  • 6,121 posts

Posted 29 March 2012 - 10:24 PM

Use stronger passwords - problem solved :rofl:

My password is quite strong.

Admittedly though if it's something I don't care about I just use 123456

#39 nwilson5

nwilson5

    IPB Newbie

  • +Clients
  • 38 posts

Posted 11 August 2012 - 01:54 AM

Nothing you can do against bruteforcing? Ever heard of using a hashing algorithm that isn't fast as balls?

MD5 is not the way passwords should be hashed these days. Look up bcrypt or something else that can't easily be bruteforced. It's not possible to stop someone from bruteforcing sure, but when you use a hashing algorithm that can be computed hundreds of millions of times per second you are doing something wrong... There ARE alternatives.

I do hope I'm behind the times and that IPS doesn't still use MD5 but can't be assed to actually read around the site. So does this mean the account I'm using right now someone may have the hash/salt combo somewhere?

Using strong passwords will help - they likely try common passwords first when doing a bruteforce attack on someone. Though not all blame is on the user, here.

#40 PeterUK

PeterUK

    IPB Full Member

  • Members
  • PipPipPip
  • 188 posts

Posted 12 August 2012 - 08:28 AM

MD5 is still being used for IP.Board. But yes, a slower hashing algorithm would be great, it should even be possible to convert these on the fly as users successfully login to their accounts.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users