Password hashing function

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
BartVB
Trapped inside rank factory, send help!
Posts: 335
Joined: Thu Aug 02, 2001 1:32 pm
Location: The Netherlands
Contact:

Re: Password hashing function

Post by BartVB »

And don't forget that you shouldn't be running it on a shared server which is where 99% of the phpBB forums end up :)
I Hate oversized sigs and Love Penguins :D
User avatar
Viperal2
Registered User
Posts: 223
Joined: Tue Jun 08, 2004 9:28 pm
Contact:

Re: Password hashing function

Post by Viperal2 »

For you paranoid freakz,

you can add a field to the database that has thge hash type, so if the user has a certian hash type you can either use that has to propte the use to enter password again to change has,

Again with Sh1 you have to make sure you have something over 4.3.x, or one of the extensions loaded.

SHA-512 well that only with and extension, and if you switch host and the don't have it you have a problem.

Anyway Sh1 is not bad move up but not really needed (YET), but the way i posted will work. I think :P .

Oppss New Post (love that Post Review )

The most common way you get havked is by
1. Bad scripts
2. Server holes.
3. You posting you password
4. I have no idea.

Can't say i heard much about people geting hacked but password, but the is XSS.
What is The Viperal ?

http://developer.berlios.de/projects/viperals/" target="_blank
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Password hashing function

Post by Martin Blank »

psoTFX wrote:I take it you run over SSL? Have secured servers with appropriate firewalling and tripwire apps? How about DB access? Is that secured? And I guess you have minimal accounts on the server and perhaps even run with SSH disabled, physically accessing the server to make changes?
No. Yes and yes. Yes. Yes, and no but looking into port-knocking to handle opening SSH only when it's needed. :)

It's my server, not a shared server, so I do have more control over it. And some people are making a bit of a bigger deal over my paranoia than they should.

/me adds watchers to the list of those to be watched. ;)
You can never go home again... but I guess you can shop there.
User avatar
Viperal2
Registered User
Posts: 223
Joined: Tue Jun 08, 2004 9:28 pm
Contact:

Re: Password hashing function

Post by Viperal2 »

you know you forgot put you site in you profile, now about it.

You might get some extended traffic

:lol: :lol:
What is The Viperal ?

http://developer.berlios.de/projects/viperals/" target="_blank
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Password hashing function

Post by Martin Blank »

I know my site is in my profile.
You can never go home again... but I guess you can shop there.
APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: Password hashing function

Post by APTX »

Martin Blank wrote:
psoTFX wrote:I take it you run over SSL? Have secured servers with appropriate firewalling and tripwire apps? How about DB access? Is that secured? And I guess you have minimal accounts on the server and perhaps even run with SSH disabled, physically accessing the server to make changes?
No. Yes and yes. Yes. Yes, and no but looking into port-knocking to handle opening SSH only when it's needed. :)

It's my server, not a shared server, so I do have more control over it. And some people are making a bit of a bigger deal over my paranoia than they should.

/me adds watchers to the list of those to be watched. ;)
This is nonsense. What is so secret that you want to hide? Why do you think the best hackers in the world would want to hack YOUR server. Why the hell is it connected to the net if it has so crucial data?? You alone are the weakest link in security.
Don't give me my freedom out of pity!
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Password hashing function

Post by Martin Blank »

Firstly, because I can.

Secondly, what does it hurt? If I can get access to it, then what's so bad about securing it in the way I see fit, just in case someone does decide to test it? I have only and exactly those ports open that need to be. Services are handled through secure ports where possible. Is there something wrong with this? If so, you may want to let the security community know.

My Windows systems at home run, for the most part, with NSA security templates in place. I use 15+ character passwords at home and at work so as to require NTLM hashes instead of risking LM hashes being stored. I use PGP-signed e-mail in casual e-mails to many people, and I encrypt anything even remotely sensitive to those that use it when I can.

I practice security as a way of life. It's very occasionally inconvenient (rapidly keying lengthy passwords sometimes makes for typos), but for the most part, I don't notice it. My car has an alarm (came with the package, and I think it's gone off once and that was when I accidentally pressed the wrong button on the remote) and a LoJack, though it is 21st on the list of most stolen cars for my state. I set the deadbolt on my door when I enter the apartment, though I live in a very low-crime area. I lock my console when I go to answer the phone or get something to drink, whether someone is home or not.
You can never go home again... but I guess you can shop there.
APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: Password hashing function

Post by APTX »

You are paranoid. You should talk about it to someone. You should live in a bunker "just in case". Buy one at http://www.missilebases.com/.

I'm 100% sure that you have no information that is worth anything to anyone.
Don't give me my freedom out of pity!
Martin Blank
Registered User
Posts: 687
Joined: Sun May 11, 2003 11:17 am

Re: Password hashing function

Post by Martin Blank »

Maybe, maybe not. But pages on Geocities have been defaced because of poor security, and with a few exceptions, who cares about pages there?

I joke about my "paranoia." But I don't have any tarps at home, nor do I have more than one roll of duct tape, and even that's beginning to run a bit thin. I don't run my users through any special hoops other than an image code on registration. I try, as much as possible, to allow them to conduct their business on the server as easily as on any other, but with the knowledge that the server will still be there the next day.

My main site is linked to by a fairly well-known webcomic. A fraction of the comic's readers go to my forum. I don't know them all, and I have had the occasional threat in the past (none successful that I've seen) so there's no point in taking chances, especially if I know how to minimize the chances.

As for the decommissioned missile bases, I'd love one, but not for the security. There are few things more cool than owning a place like that. Now, if I can just manage to convince my boss to give me enough of a raise...
You can never go home again... but I guess you can shop there.
User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: Password hashing function

Post by psoTFX »

nah, I wouldn't recommend one of those bases ... should the worst ever happen they'll all remain primary targets ... and that sort of heat doesn't lend itself to toasting a few marshmallows ... incinerating them maybe and everything else within a radius of 1 mile + :D
Post Reply