Jump to content


Photo
* * * - - 3 votes

IP.Board password hashing is no longer secure


  • Please log in to reply
53 replies to this topic

#41 Kirito

Kirito

    Needs Serious Help

  • +Clients
  • 2,481 posts

Posted 14 August 2012 - 03:27 PM

For a banking/government based site, enforcing secure passwords and requiring you to make changes to your password every XX days is reasonable. The latter being more so for government based services.

But for a generic forum, not really. It's just a forum.

I admittedly have about 4 different common passwords of various strengths that I use for misc. sites, such as this one.

Honestly though, it's not difficult to create a secure password that's over 15 characters in length. Mix in a favorite music lyric with a favorite quote, favorite catch phrase, whatever. Add capitalization, use numbers in place of letters.. so on. Secure and still easy to remember. It's more secure than the impossible to remember "aZ#%Ji3Pw0R2" password.

It's not terrible practice to write a new password down somewhere and stick it in your wallet for a bit until you're sure you've memorized the password either, afterwards just ripping it up and flushing it down the toilet or burning it.. or just throwing it in the trash like most normal people do.

RBiD22P.png This signature utilizes cookies. By continuing to view topics I have posted in, you are giving consent to cookies being used. RBiD22P.png

If you have a problem with this, please click here. Thank you.


#42 PeterUK

PeterUK

    IPB Full Member

  • +Clients
  • 186 posts

Posted 14 August 2012 - 05:04 PM

For a banking/government based site, enforcing secure passwords and requiring you to make changes to your password every XX days is reasonable. The latter being more so for government based services.

But for a generic forum, not really. It's just a forum.

I admittedly have about 4 different common passwords of various strengths that I use for misc. sites, such as this one.

Honestly though, it's not difficult to create a secure password that's over 15 characters in length. Mix in a favorite music lyric with a favorite quote, favorite catch phrase, whatever. Add capitalization, use numbers in place of letters.. so on. Secure and still easy to remember. It's more secure than the impossible to remember "aZ#%Ji3Pw0R2" password.

It's not terrible practice to write a new password down somewhere and stick it in your wallet for a bit until you're sure you've memorized the password either, afterwards just ripping it up and flushing it down the toilet or burning it.. or just throwing it in the trash like most normal people do.


The length and obscurity of a user's password is much less of an issue when the hashing algorithm is much slower to compute. Generally it's not us, who have good passwords that are having their passwords decrypted after a security breach, it's the users. While it might be their own fault for not using a secure enough password, why not help things anyway by having a more secure hash?

#43 Kirito

Kirito

    Needs Serious Help

  • +Clients
  • 2,481 posts

Posted 14 August 2012 - 06:45 PM

The length and obscurity of a user's password is much less of an issue when the hashing algorithm is much slower to compute. Generally it's not us, who have good passwords that are having their passwords decrypted after a security breach, it's the users. While it might be their own fault for not using a secure enough password, why not help things anyway by having a more secure hash?

Oh, of course. Having a good hash is always good. It's amazing how many large corporations tend to store sensitive data like passwords in plaintext, really.

RBiD22P.png This signature utilizes cookies. By continuing to view topics I have posted in, you are giving consent to cookies being used. RBiD22P.png

If you have a problem with this, please click here. Thank you.


#44 Wolfie

Wolfie

    Don't get mad, get N*Raged!

  • +Clients
  • 12,499 posts

Posted 15 August 2012 - 05:02 AM

Oh, of course. Having a good hash is always good. It's amazing how many large corporations tend to store sensitive data like passwords in plaintext, really.

Disney not only stores passwords in plaintext, but it's also case insensitive. So if your password is "PassWord", then you could type it in as "PASSWORD" or "password" etc.

A lot of sites place restrictions on passwords, but not to make someone use a more secure password, rather it restricts the complexity of the password. For example, some sites limit you to using letters (upper/lower), numbers and a very limited range of 'other' characters. So if you normally use a password like "Password#123", it will reject it with an error telling you that you can only use letters, numbers and something like _ or - or something else. I consider that a HUGE gap in security because suddenly, brute force cracking becomes easier if the 'hashed' passwords are ever obtained somehow (that's IF the passwords are even hashed). It makes me wonder if the developers of those sites didn't get messed up in the head and somehow believe that limiting the characters somehow makes passwords more secure. Sites like that actually make me cringe because it's a disaster waiting to happen.
  • Ryan H., PeterUK and Marcher Technologies like this

٩(͡๏̯͡๏)۶ Click here to browse or purchase IPS software. ٩(͡๏̯͡๏)۶
n-raged.com
- Dacity.Com

♪ Me and you ♪
♪ a two-man crew ♪
♪ side by side we're unified ♪
♪ and we will never be divided ♪

Spoiler

CLICK HERE AND VOTE IP.BOARD AS BEST FORUM SOFTWARE FOR 2013!!!


#45 PeterUK

PeterUK

    IPB Full Member

  • +Clients
  • 186 posts

Posted 16 August 2012 - 08:40 AM

I consider that a HUGE gap in security because suddenly, brute force cracking becomes easier if the 'hashed' passwords are ever obtained somehow (that's IF the passwords are even hashed). It makes me wonder if the developers of those sites didn't get messed up in the head and somehow believe that limiting the characters somehow makes passwords more secure. Sites like that actually make me cringe because it's a disaster waiting to happen.


I agree, all of my passwords contain a mix of numbers, letters and symbols and it really annoys me when a site doesn't allow you to use them. What *is* the point?

I consider it a huge fail on the part of a website if I ever request my password from them and I get an e-mail with it in plaintext.

#46 XTF

XTF

    IPB Full Member

  • +Clients
  • 117 posts

Posted 21 August 2012 - 10:46 AM

MD5 is still being used for IP.Board. But yes, a slower hashing algorithm would be great, it should even be possible to convert these on the fly as users successfully login to their accounts.

Right, so could we get any feedback from Invision about their plans?

#47 Ryan H.

Ryan H.

    Watch how I soar.

  • +Clients
  • 2,997 posts

Posted 21 August 2012 - 10:52 AM

Right, so could we get any feedback from Invision about their plans?

Based on their prior responses, no plans. MD5 is 'secure enough', and bcrypt isn't supported consistently enough for it to be a realistic option.

Ryan Hoerr / "No1 1000"

 

IP.Board 3.4 Resources bullet_star.pngbullet_star.pngbullet_star.pngbullet_star.pngbullet_star.png

App Advanced Tags & Prefixes

App Easy Pages

Skin Graphite

Skin Thoreau


#48 Wolfie

Wolfie

    Don't get mad, get N*Raged!

  • +Clients
  • 12,499 posts

Posted 21 August 2012 - 04:46 PM

Right, so could we get any feedback from Invision about their plans?

There are a couple of things to keep in mind.

1. Any hashing method used has to be supported by all (or nearly all) hosting environments. md5 is one of those methods.

2. You might be tempted to say, "So use md5 as a backup but use something else if it's available." but there's a catch-22 to that. Let's say someone is on a host that supports an alternative method and so that method is used. Then they move to another host that doesn't support it. All of a sudden, EVERYONE has to reset their password in order to be able to sign in. So then it's, "Okay so if you use the better method but also store it using the backup method in case that happens." but then that in itself would defeat the purpose.

It still comes down to a simple fact that no matter the method used, if someone obtains all pieces of information necessary to crack a password, then it can be cracked, period. Stronger methods may take longer, but it can still be done. Things that may seem impossible now could be much easier in just a couple of years. Saying "if people use passwords that are 14 or more characters will make it impossible" isn't really true because it's still possible just with today's technology, it's not very likely unless a hacker has access to several high-end machines & GPU's and has a way of efficiently delegating out the task to those machines. Within a couple of years, it may be possible to hash 10 times what can be done now, making 14 character passwords somewhat 'easy'.

There are very few ideas that would make having the hashes useless and one way is to somehow withhold a key element from the equation. In another topic, I suggested the idea of having an optional 'code' for members to use. The code wouldn't be stored in the database and without that code, the end result would be much harder to achieve. Some tell me that it'd just be easier/better to use a longer password, but the problem with that is that the advice only works when people use longer passwords to begin with. If they use a simple password and aren't likely to change that, then the best option is to give them a way to use a secondary 'password' (software could make sure they aren't the same thing) and add that into the equation. Suddenly, instead of one unknown, there are two unknowns and more processing has to be done to take the additional unknown into the equation.

That's just one concept that could improve the level of security with the hashes. There are others, but keep in mind that anything that is always accessible to the site will also be accessible to the hacker (if they manage to compromise your site that is). Doesn't matter if it's 'hidden' in a file or 'hidden' within the database, if the hacker knows what to look for, they can find ways to get it once they're in.
  • Kirito likes this

٩(͡๏̯͡๏)۶ Click here to browse or purchase IPS software. ٩(͡๏̯͡๏)۶
n-raged.com
- Dacity.Com

♪ Me and you ♪
♪ a two-man crew ♪
♪ side by side we're unified ♪
♪ and we will never be divided ♪

Spoiler

CLICK HERE AND VOTE IP.BOARD AS BEST FORUM SOFTWARE FOR 2013!!!


#49 Kirito

Kirito

    Needs Serious Help

  • +Clients
  • 2,481 posts

Posted 21 August 2012 - 04:51 PM

There are a couple of things to keep in mind...

And if you really wanted to be more secure, I'm sure you could modify the hashing algorithm yourself. Maybe not through hooks or mods and you'd have to keep the file updated throughout version changes.. but I think it'd be possible.

If you're really concerned about these technicalities, I'd think that making a few code changes shouldn't be too huge a task.

At least in this case, you're acknowledging the points stated here and are choosing to use your own method despite the possible drawbacks.

RBiD22P.png This signature utilizes cookies. By continuing to view topics I have posted in, you are giving consent to cookies being used. RBiD22P.png

If you have a problem with this, please click here. Thank you.


#50 Wolfie

Wolfie

    Don't get mad, get N*Raged!

  • +Clients
  • 12,499 posts

Posted 21 August 2012 - 05:43 PM

And if you really wanted to be more secure, I'm sure you could modify the hashing algorithm yourself. Maybe not through hooks or mods and you'd have to keep the file updated throughout version changes.. but I think it'd be possible.

If you're really concerned about these technicalities, I'd think that making a few code changes shouldn't be too huge a task.

At least in this case, you're acknowledging the points stated here and are choosing to use your own method despite the possible drawbacks.

I think you misunderstood.

I'm using what IPS is supplying. The reason is for reliability and security. How reliable or secure would it be for me to make an edit, later on upgrade to a newer version, have to make the change again (if I remember) and at some point, run the risk of my edits being wrong and causing a massive bug that opens the door for hackers? Thanks but no thanks.

I agree that there are ways to improve security, but those ways have to work on all (or almost all) installs. For those that it wouldn't work on, a function to produce the same results, even if it might be a small (microsecond) longer. In short, something that would work for all sites. Let's take sha512 as a hashing method. hash() is available for PHP 5.1.2 and up, and using that takes longer than md5. So that means that someone trying to brute force the password would get slower results. Sounds all great right? But what about a site that has a large number of users signing up or signing on each day? That could potentially cause issues. Not saying it will, but it could. There could be other drawbacks as well. Let's say that overall, it's 'perfect' and so it should be used. Doesn't change the fact that if someone gets the salt and hash, they could crack the password. Might take them a little bit longer, but it could still be done. That would be like putting a small bandaid on cut that requires stitches. The thing about it is that it's not a flaw with how IPS is handling it, it's a flaw no matter where you go. One way hashes can be cracked when the formula is known. It's just how it is.

٩(͡๏̯͡๏)۶ Click here to browse or purchase IPS software. ٩(͡๏̯͡๏)۶
n-raged.com
- Dacity.Com

♪ Me and you ♪
♪ a two-man crew ♪
♪ side by side we're unified ♪
♪ and we will never be divided ♪

Spoiler

CLICK HERE AND VOTE IP.BOARD AS BEST FORUM SOFTWARE FOR 2013!!!


#51 bfarber

bfarber

    RBT-KS

  • IPS Management
  • 28,576 posts

Posted 22 August 2012 - 09:20 AM

Those participating in this discussion looking for good solutions to provide additional security may be interested in the following marketplace two-factor authentication addons

http://community.inv...authentication/
http://community.inv...cation-for-acp/
http://community.inv...authentication/

Changing the hashing algorithm is NOT something to be done lightly. It would need fallbacks, users who haven't logged in since the change would still have passwords hashed based on previous version algorithms, etc. There's a lot that would need to be taken into account.

Brandon Farber
Development Manager / Senior Support

If it sounds like fun, it's not allowed on the bus!

php5_zce_logo_new.gif     

Invision Power Services, Inc.


#52 GIANT_CRAB

GIANT_CRAB

    IPB Newbie

  • Members
  • Pip
  • 47 posts

Posted 24 August 2012 - 09:10 AM

Changing the hashing algorithm is NOT something to be done lightly.


Agreed.

I also understand that IP.Board password hashing is not that /great/.
However, there are factors to put into consider:

Is it really needed to change the hashing method when new hashing algorithms are broken sooner or later?
Your site must be hacked before the hackers acquire the hashed password; wouldn't it be better to fix your site's loop-holes than to "upgrading" IP.Board's password hashing algorithm?
Support Operator @ LoomHosts

#53 Ryan H.

Ryan H.

    Watch how I soar.

  • +Clients
  • 2,997 posts

Posted 24 August 2012 - 09:29 AM

Is it really needed to change the hashing method when new hashing algorithms are broken sooner or later?
Your site must be hacked before the hackers acquire the hashed password; wouldn't it be better to fix your site's loop-holes than to "upgrading" IP.Board's password hashing algorithm?

Not all loopholes can be 'fixed'... people are always a problem.
  • Wolfie and PeterUK like this

Ryan Hoerr / "No1 1000"

 

IP.Board 3.4 Resources bullet_star.pngbullet_star.pngbullet_star.pngbullet_star.pngbullet_star.png

App Advanced Tags & Prefixes

App Easy Pages

Skin Graphite

Skin Thoreau


#54 Wolfie

Wolfie

    Don't get mad, get N*Raged!

  • +Clients
  • 12,499 posts

Posted 24 August 2012 - 09:50 AM

Is it really needed to change the hashing method when new hashing algorithms are broken sooner or later?
Your site must be hacked before the hackers acquire the hashed password; wouldn't it be better to fix your site's loop-holes than to "upgrading" IP.Board's password hashing algorithm?

Double edged sword on this. On the one hand, finding ways to improve security, without going to extremes, is always a good idea. On the other hand, you don't want to make it so that people despise your site because of the hassle they have to go through to join or sign-in.

You mention about the algorithms being broken 'sooner or later', using that same argument, what's the point of using passwords at all? Even with safeguards in place to make it more difficult, someone could still attempt and eventually hack their way into someone's account. It would only be a matter of time. Granted, it could take years or even decades, but that would still fall under "sooner or later" when you think about it.

So yes, there is a need to change it. The issue is it being something that would work on all sites, either because a certain method is automatically supported or from a fall-back method developed by IPS that would generate the same result without getting too complex or using much (if any) additional resources.

Yes, a site has to be hacked so that the data can be obtained in order to start cracking the passwords. I don't think anyone will argue with that point. It's a matter of making it so that the data is somehow useless or will at least require some additional effort or time in order to crack those passwords. Can't make it hardware dependent because if someone changes to another hosting company, all passwords are useless. Can't just make it an additional file, hacker can just download that file. One of those "lose-lose" situations. Oh well, if there's a way to get around those obstacles, then I'm confident the IPS devs will come up with it.

Not all loopholes can be 'fixed'... people are always a problem.

Social engineering, a reminder that you can't program people as you would a computer.
  • PeterUK likes this

٩(͡๏̯͡๏)۶ Click here to browse or purchase IPS software. ٩(͡๏̯͡๏)۶
n-raged.com
- Dacity.Com

♪ Me and you ♪
♪ a two-man crew ♪
♪ side by side we're unified ♪
♪ and we will never be divided ♪

Spoiler

CLICK HERE AND VOTE IP.BOARD AS BEST FORUM SOFTWARE FOR 2013!!!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users