There is no problems in phpBB 3.0.4, and thus no reason to update. The password security used in phpBB 3.x has already been addressedRabXI3oX wrote:ahh i got it yeah
i just a thought phpBB need new up to date 3.0.5 and im wrong.
but i think phpBB should up to date
is there any new software to make more sercurity add like hard Password provice
You said 'possibly' its fact, we know the attacker does.Stallyon wrote:Hmmm I thought I covered that in #5? My apologies.ToonArmy wrote:Very informative post, it is regrettable to correct you that the attacker stole the users database (containing the usernames, emails and password hashes) and the mailing list subscribers address list.Stallyon wrote:I hope this helps clear up some questions. Mods/admin of this forum are welcome to change/remove this message or comment on/correct if information is incorrect.
cool i cant wait go phpBB back online that i can have need some download for my site php codeStallyon wrote:There is no problems in phpBB 3.0.4, and thus no reason to update. The password security used in phpBB 3.x has already been addressedRabXI3oX wrote:ahh i got it yeah
i just a thought phpBB need new up to date 3.0.5 and im wrong.
but i think phpBB should up to date
is there any new software to make more sercurity add like hard Password provice
So what do you suggest we do nowStallyon wrote:Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.
I am not sure if we should wait and see what level of information the hacker has, isnt it? I think we need to get over with the data acquired, reset the necessary fields and get back to business..RESET is what we all have been doing since a very long time (especially WINDOWS users like me 
)...Lets do it once more!!!
Exactly.Eelke wrote:The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.
shahinavthal wrote:So what do you suggest we do nowStallyon wrote:Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.
If we have lost email lists, so be it...I am not sure if the hacker would not use it anyways..So lets move on...
Just pray that nobody used their email passwords the same as the one on phpbb
.Not if the hashes are salted which the new phpBB3 ones are, you would need to generate a rainbow table for each common word plus the salt which is nigh on impossible.Nicholas the Italian wrote:Exactly.Eelke wrote:The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.
If I'm correct, this is particoularly true if you use some common word as your password (i.e. vocabulary words, common names, number sequences, dates, inverted words, qwerty-like things, etc.).
Reverse-MD5 tables are freely available even in the public Internet.
A part of the old suggestion of using a different pw for each site, using somewhat complex passwords is also a good advice, for example !waHt+eVer? instead of whatever.
