[Discussion] Downtime and Server Compromise

[Nicholas the Italian]

Not if the hashes are salted which the new phpBB3 ones are, you would need to generate a rainbow table for each common word plus the salt which is nigh on impossible.

I was talking of simple MD5 (or SHA) hashes (which are still the most used, btw).

[Techie-Micheal]

Those who have not logged in since the conversion to phpBB3 will still have their passwords in the plain MD5 format.

[Phantasmagoric]

Is this article about a planned MASS ATTACK on phpBB forums on DIGG serious?
http://digg.com/security/phpBB_mass_hac ... _prepared_

This has worried me a great deal after the hack on .com itself!

[ToonArmy]

Is this article about a planned MASS ATTACK on phpBB forums on DIGG serious?
http://digg.com/security/phpBB_mass_hac ... _prepared_

This has worried me a great deal after the hack on .com itself!

submitted by Flashman 2 years 321 days ago

Somehow I don't think this is related

[Phantasmagoric]

Ha, I should have paid attention to the dates there, this is getting really weird, it seems everyone is talking about this hack on .com, I'm going to stop reading it all, it's starting to freak me out to much.

[Phox]

Is there any chance emails will be encrypted within the phpList software now? I mean, getting hacked is no problem -- it happens to everyone, but preventing mass damage is a problem and should be dealt with. Thanks for any reply and good luck with fixing everything -- keep it up.

[CarolC1]

I understand they got in through phpList which we do not use.

And I understand phpbb3 software is secure.

But....

Supposing I want a safety margin (not knowing what kind of vulnerability I myself might inadvertently create by overmodding or not updating something in a timely manner, etc.)...

is anyone looking into a way for people with users in the database with passwords still encrypted in the phpbb2 style to update those passwords to the phpbb3 style...

without asking all those users to log in again.

As you pointed out, some of the email addresses may be out of date so we might be unable to contact them.

And I do not want to delete the users.

We do have a lot of users who are just good people, I'd rather have an extra layer of protection for these good souls if it's do-able?

[Phox]

You can't update the passwords without rainbow tabling them (which might not even be possible for some -- but they are already protected). I wouldn't worry about it though, most people do login or would've changed their password by the time you'd get hacked.



<edit>

Alternatively, you could request a mod that deactivated these accounts, or resets their passwords, and just remove their passes.

[a_o_c]

i miss (dot)com. ive been checking in for hours. anyway, i guess its a good thing (it finally got me to register here).

[Erik Frèrejean]

Is there any chance emails will be encrypted within the phpList software now? I mean, getting hacked is no problem -- it happens to everyone, but preventing mass damage is a problem and should be dealt with. Thanks for any reply and good luck with fixing everything -- keep it up.

That would be up to the PHPList developers but I don't see that happen cause when you hash the e-mail addresses you can't e-mail them. That is the same that some people claim that it is stupid to store the database password in plain text, but there is no other way. Encrypting is useless cause those are easily reversed and hashes can't be reversed. So once stored in a hash the data is only useful for comparison.

Supposing I want a safety margin (not knowing what kind of vulnerability I myself might inadvertently create by overmodding or not updating something in a timely manner, etc.)...

To be save only install the MODs you really need, only download MODs from the phpBB.com MODDB and stay up to date with the latest versions.

is anyone looking into a way for people with users in the database with passwords still encrypted in the phpbb2 style to update those passwords to the phpbb3 style...

We are discussing this. But for now we have higher priorities, but we'll think of something before .com gets back online.