[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
gonzoateafly
Registered User
Posts: 8
Joined: Thu Feb 05, 2009 1:38 am

Re: [Discussion] Downtime and Server Compromise

Post by gonzoateafly »

bbrunnrman wrote:There's a little point I'd like to be totally clear about. In the original "Downtime and Server Compromise" post at viewtopic.php?f=71&t=29973
Marshalrusty wrote:phpBB3 is set to convert phpBB2 hashes to the new phpBB3 standard during the first user login.
Many of the later posts suggest that users must actually change their passwords following phpBB2 to phpBB3 conversion in order for this hash conversion to take place. Is this true? I interpreted Marshalrusty's original statement as meaning that the hash conversion takes place automatically without requiring the user to change their password. Which is it? Note that while phpBB3 does include an option to require password changes after certain time intervals, that option isn't enabled by default. And users normally aren't prompted to change password following a phpBB2 to phpBB3 conversion.
Users passwords are only changed once they log in after the upgrade has been made. Remember when you first logged in after the change, and it told you it needed to update your password? That's when the change is made. So if you didn't log in after the phpbb3.x was installed, it's still in the old hash.

bbrunnrman
Registered User
Posts: 4
Joined: Thu Feb 05, 2009 6:18 am

Re: [Discussion] Downtime and Server Compromise

Post by bbrunnrman »

gonzoateafly wrote:Users passwords are only changed once they log in after the upgrade has been made. Remember when you first logged in after the change, and it told you it needed to update your password? That's when the change is made. So if you didn't log in after the phpbb3.x was installed, it's still in the old hash.
I've definitely logged in after the phpBB2 to phpBB3 upgrade, both on phpbb.com and on my own board, but I don't remember being told that it needed to update my password, and I definitely wasn't prompted to change my password.

gonzoateafly
Registered User
Posts: 8
Joined: Thu Feb 05, 2009 1:38 am

Re: [Discussion] Downtime and Server Compromise

Post by gonzoateafly »

If you logged in since the update, you're safe. :)

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy »

bbrunnrman wrote:
gonzoateafly wrote:Users passwords are only changed once they log in after the upgrade has been made. Remember when you first logged in after the change, and it told you it needed to update your password? That's when the change is made. So if you didn't log in after the phpbb3.x was installed, it's still in the old hash.
I've definitely logged in after the phpBB2 to phpBB3 upgrade, both on phpbb.com and on my own board, but I don't remember being told that it needed to update my password, and I definitely wasn't prompted to change my password.
It doesn't prompt you, it just does the conversion.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

gonzoateafly
Registered User
Posts: 8
Joined: Thu Feb 05, 2009 1:38 am

Re: [Discussion] Downtime and Server Compromise

Post by gonzoateafly »

ToonArmy wrote: It doesn't prompt you, it just does the conversion.
Hmm, ok, I should say some of the time it prompts you. I was forced to do it on my personal forums on a couple of them.

bbrunnrman
Registered User
Posts: 4
Joined: Thu Feb 05, 2009 6:18 am

Re: [Discussion] Downtime and Server Compromise

Post by bbrunnrman »

gonzoateafly wrote:
ToonArmy wrote: It doesn't prompt you, it just does the conversion.
Hmm, ok, I should say some of the time it prompts you. I was forced to do it on my personal forums on a couple of them.
Maybe I've figured out the source of the confusion. When some users try to login the first time after phpBB2 to phpBB3 upgrade, they get an error message that the system couldn't update their password (and I think they end up having to use the "forgot password" feature to get a new one). These are probably cases where an error occurs trying to produce the new salted hashes. But this happens to only a small percentage of users. For most, the system does the conversion automatically, and they can keep logging in with their old passwords.

gonzoateafly
Registered User
Posts: 8
Joined: Thu Feb 05, 2009 1:38 am

Re: [Discussion] Downtime and Server Compromise

Post by gonzoateafly »

bbrunnrman wrote:
gonzoateafly wrote: Hmm, ok, I should say some of the time it prompts you. I was forced to do it on my personal forums on a couple of them.
Maybe I've figured out the source of the confusion. When some users try to login the first time after phpBB2 to phpBB3 upgrade, they get an error message that the system couldn't update their password (and I think they end up having to use the "forgot password" feature to get a new one). These are probably cases where an error occurs trying to produce the new salted hashes. But this happens to only a small percentage of users. For most, the system does the conversion automatically, and they can keep logging in with their old passwords.
That would be my guess. :)

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy »

There are quite a few variables in the password conversion process, but generally a phpBB2 -> phpBB3 conversion the update should be performed automatically.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

MartinTruckenbrodt
Posts: 171
Joined: Sun Jan 29, 2006 1:00 pm
Location: Germany
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by MartinTruckenbrodt »

Hello,
perhaps you should use phpBB3 insteat of PHPlist for sending newsletter emails: http://www.martin-truckenbrodt.com/cgi/ ... m.php?f=13 ;)

Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs

a_o_c
Registered User
Posts: 26
Joined: Mon Feb 02, 2009 8:19 pm
Location: phpbb_
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by a_o_c »

i dont think the DEVs are going to be adding MODs to .com :lol:

Post Reply