Password hashing function
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
-
- Trapped inside rank factory, send help!
- Posts: 335
- Joined: Thu Aug 02, 2001 1:32 pm
- Location: The Netherlands
- Contact:
Re: Password hashing function
And don't forget that you shouldn't be running it on a shared server which is where 99% of the phpBB forums end up
I Hate oversized sigs and Love Penguins
Re: Password hashing function
For you paranoid freakz,
you can add a field to the database that has thge hash type, so if the user has a certian hash type you can either use that has to propte the use to enter password again to change has,
Again with Sh1 you have to make sure you have something over 4.3.x, or one of the extensions loaded.
SHA-512 well that only with and extension, and if you switch host and the don't have it you have a problem.
Anyway Sh1 is not bad move up but not really needed (YET), but the way i posted will work. I think .
Oppss New Post (love that Post Review )
The most common way you get havked is by
1. Bad scripts
2. Server holes.
3. You posting you password
4. I have no idea.
Can't say i heard much about people geting hacked but password, but the is XSS.
you can add a field to the database that has thge hash type, so if the user has a certian hash type you can either use that has to propte the use to enter password again to change has,
Again with Sh1 you have to make sure you have something over 4.3.x, or one of the extensions loaded.
SHA-512 well that only with and extension, and if you switch host and the don't have it you have a problem.
Anyway Sh1 is not bad move up but not really needed (YET), but the way i posted will work. I think .
Oppss New Post (love that Post Review )
The most common way you get havked is by
1. Bad scripts
2. Server holes.
3. You posting you password
4. I have no idea.
Can't say i heard much about people geting hacked but password, but the is XSS.
-
- Registered User
- Posts: 687
- Joined: Sun May 11, 2003 11:17 am
Re: Password hashing function
No. Yes and yes. Yes. Yes, and no but looking into port-knocking to handle opening SSH only when it's needed.psoTFX wrote:I take it you run over SSL? Have secured servers with appropriate firewalling and tripwire apps? How about DB access? Is that secured? And I guess you have minimal accounts on the server and perhaps even run with SSH disabled, physically accessing the server to make changes?
It's my server, not a shared server, so I do have more control over it. And some people are making a bit of a bigger deal over my paranoia than they should.
/me adds watchers to the list of those to be watched.
You can never go home again... but I guess you can shop there.
Re: Password hashing function
you know you forgot put you site in you profile, now about it.
You might get some extended traffic
You might get some extended traffic
-
- Registered User
- Posts: 687
- Joined: Sun May 11, 2003 11:17 am
Re: Password hashing function
I know my site is in my profile.
You can never go home again... but I guess you can shop there.
Re: Password hashing function
This is nonsense. What is so secret that you want to hide? Why do you think the best hackers in the world would want to hack YOUR server. Why the hell is it connected to the net if it has so crucial data?? You alone are the weakest link in security.Martin Blank wrote:No. Yes and yes. Yes. Yes, and no but looking into port-knocking to handle opening SSH only when it's needed.psoTFX wrote:I take it you run over SSL? Have secured servers with appropriate firewalling and tripwire apps? How about DB access? Is that secured? And I guess you have minimal accounts on the server and perhaps even run with SSH disabled, physically accessing the server to make changes?
It's my server, not a shared server, so I do have more control over it. And some people are making a bit of a bigger deal over my paranoia than they should.
/me adds watchers to the list of those to be watched.
Don't give me my freedom out of pity!
-
- Registered User
- Posts: 687
- Joined: Sun May 11, 2003 11:17 am
Re: Password hashing function
Firstly, because I can.
Secondly, what does it hurt? If I can get access to it, then what's so bad about securing it in the way I see fit, just in case someone does decide to test it? I have only and exactly those ports open that need to be. Services are handled through secure ports where possible. Is there something wrong with this? If so, you may want to let the security community know.
My Windows systems at home run, for the most part, with NSA security templates in place. I use 15+ character passwords at home and at work so as to require NTLM hashes instead of risking LM hashes being stored. I use PGP-signed e-mail in casual e-mails to many people, and I encrypt anything even remotely sensitive to those that use it when I can.
I practice security as a way of life. It's very occasionally inconvenient (rapidly keying lengthy passwords sometimes makes for typos), but for the most part, I don't notice it. My car has an alarm (came with the package, and I think it's gone off once and that was when I accidentally pressed the wrong button on the remote) and a LoJack, though it is 21st on the list of most stolen cars for my state. I set the deadbolt on my door when I enter the apartment, though I live in a very low-crime area. I lock my console when I go to answer the phone or get something to drink, whether someone is home or not.
Secondly, what does it hurt? If I can get access to it, then what's so bad about securing it in the way I see fit, just in case someone does decide to test it? I have only and exactly those ports open that need to be. Services are handled through secure ports where possible. Is there something wrong with this? If so, you may want to let the security community know.
My Windows systems at home run, for the most part, with NSA security templates in place. I use 15+ character passwords at home and at work so as to require NTLM hashes instead of risking LM hashes being stored. I use PGP-signed e-mail in casual e-mails to many people, and I encrypt anything even remotely sensitive to those that use it when I can.
I practice security as a way of life. It's very occasionally inconvenient (rapidly keying lengthy passwords sometimes makes for typos), but for the most part, I don't notice it. My car has an alarm (came with the package, and I think it's gone off once and that was when I accidentally pressed the wrong button on the remote) and a LoJack, though it is 21st on the list of most stolen cars for my state. I set the deadbolt on my door when I enter the apartment, though I live in a very low-crime area. I lock my console when I go to answer the phone or get something to drink, whether someone is home or not.
You can never go home again... but I guess you can shop there.
Re: Password hashing function
You are paranoid. You should talk about it to someone. You should live in a bunker "just in case". Buy one at http://www.missilebases.com/.
I'm 100% sure that you have no information that is worth anything to anyone.
I'm 100% sure that you have no information that is worth anything to anyone.
Don't give me my freedom out of pity!
-
- Registered User
- Posts: 687
- Joined: Sun May 11, 2003 11:17 am
Re: Password hashing function
Maybe, maybe not. But pages on Geocities have been defaced because of poor security, and with a few exceptions, who cares about pages there?
I joke about my "paranoia." But I don't have any tarps at home, nor do I have more than one roll of duct tape, and even that's beginning to run a bit thin. I don't run my users through any special hoops other than an image code on registration. I try, as much as possible, to allow them to conduct their business on the server as easily as on any other, but with the knowledge that the server will still be there the next day.
My main site is linked to by a fairly well-known webcomic. A fraction of the comic's readers go to my forum. I don't know them all, and I have had the occasional threat in the past (none successful that I've seen) so there's no point in taking chances, especially if I know how to minimize the chances.
As for the decommissioned missile bases, I'd love one, but not for the security. There are few things more cool than owning a place like that. Now, if I can just manage to convince my boss to give me enough of a raise...
I joke about my "paranoia." But I don't have any tarps at home, nor do I have more than one roll of duct tape, and even that's beginning to run a bit thin. I don't run my users through any special hoops other than an image code on registration. I try, as much as possible, to allow them to conduct their business on the server as easily as on any other, but with the knowledge that the server will still be there the next day.
My main site is linked to by a fairly well-known webcomic. A fraction of the comic's readers go to my forum. I don't know them all, and I have had the occasional threat in the past (none successful that I've seen) so there's no point in taking chances, especially if I know how to minimize the chances.
As for the decommissioned missile bases, I'd love one, but not for the security. There are few things more cool than owning a place like that. Now, if I can just manage to convince my boss to give me enough of a raise...
You can never go home again... but I guess you can shop there.
Re: Password hashing function
nah, I wouldn't recommend one of those bases ... should the worst ever happen they'll all remain primary targets ... and that sort of heat doesn't lend itself to toasting a few marshmallows ... incinerating them maybe and everything else within a radius of 1 mile +