Users passwords are only changed once they log in after the upgrade has been made. Remember when you first logged in after the change, and it told you it needed to update your password? That's when the change is made. So if you didn't log in after the phpbb3.x was installed, it's still in the old hash.bbrunnrman wrote:There's a little point I'd like to be totally clear about. In the original "Downtime and Server Compromise" post at viewtopic.php?f=71&t=29973Many of the later posts suggest that users must actually change their passwords following phpBB2 to phpBB3 conversion in order for this hash conversion to take place. Is this true? I interpreted Marshalrusty's original statement as meaning that the hash conversion takes place automatically without requiring the user to change their password. Which is it? Note that while phpBB3 does include an option to require password changes after certain time intervals, that option isn't enabled by default. And users normally aren't prompted to change password following a phpBB2 to phpBB3 conversion.Marshalrusty wrote:phpBB3 is set to convert phpBB2 hashes to the new phpBB3 standard during the first user login.
[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
-
- Registered User
- Posts: 8
- Joined: Thu Feb 05, 2009 1:38 am
Re: [Discussion] Downtime and Server Compromise
-
- Registered User
- Posts: 4
- Joined: Thu Feb 05, 2009 6:18 am
Re: [Discussion] Downtime and Server Compromise
I've definitely logged in after the phpBB2 to phpBB3 upgrade, both on phpbb.com and on my own board, but I don't remember being told that it needed to update my password, and I definitely wasn't prompted to change my password.gonzoateafly wrote:Users passwords are only changed once they log in after the upgrade has been made. Remember when you first logged in after the change, and it told you it needed to update your password? That's when the change is made. So if you didn't log in after the phpbb3.x was installed, it's still in the old hash.
-
- Registered User
- Posts: 8
- Joined: Thu Feb 05, 2009 1:38 am
Re: [Discussion] Downtime and Server Compromise
If you logged in since the update, you're safe.
Re: [Discussion] Downtime and Server Compromise
It doesn't prompt you, it just does the conversion.bbrunnrman wrote:I've definitely logged in after the phpBB2 to phpBB3 upgrade, both on phpbb.com and on my own board, but I don't remember being told that it needed to update my password, and I definitely wasn't prompted to change my password.gonzoateafly wrote:Users passwords are only changed once they log in after the upgrade has been made. Remember when you first logged in after the change, and it told you it needed to update your password? That's when the change is made. So if you didn't log in after the phpbb3.x was installed, it's still in the old hash.
-
- Registered User
- Posts: 8
- Joined: Thu Feb 05, 2009 1:38 am
Re: [Discussion] Downtime and Server Compromise
Hmm, ok, I should say some of the time it prompts you. I was forced to do it on my personal forums on a couple of them.ToonArmy wrote: It doesn't prompt you, it just does the conversion.
-
- Registered User
- Posts: 4
- Joined: Thu Feb 05, 2009 6:18 am
Re: [Discussion] Downtime and Server Compromise
Maybe I've figured out the source of the confusion. When some users try to login the first time after phpBB2 to phpBB3 upgrade, they get an error message that the system couldn't update their password (and I think they end up having to use the "forgot password" feature to get a new one). These are probably cases where an error occurs trying to produce the new salted hashes. But this happens to only a small percentage of users. For most, the system does the conversion automatically, and they can keep logging in with their old passwords.gonzoateafly wrote:Hmm, ok, I should say some of the time it prompts you. I was forced to do it on my personal forums on a couple of them.ToonArmy wrote: It doesn't prompt you, it just does the conversion.
-
- Registered User
- Posts: 8
- Joined: Thu Feb 05, 2009 1:38 am
Re: [Discussion] Downtime and Server Compromise
That would be my guess.bbrunnrman wrote:Maybe I've figured out the source of the confusion. When some users try to login the first time after phpBB2 to phpBB3 upgrade, they get an error message that the system couldn't update their password (and I think they end up having to use the "forgot password" feature to get a new one). These are probably cases where an error occurs trying to produce the new salted hashes. But this happens to only a small percentage of users. For most, the system does the conversion automatically, and they can keep logging in with their old passwords.gonzoateafly wrote: Hmm, ok, I should say some of the time it prompts you. I was forced to do it on my personal forums on a couple of them.
Re: [Discussion] Downtime and Server Compromise
There are quite a few variables in the password conversion process, but generally a phpBB2 -> phpBB3 conversion the update should be performed automatically.
-
- Posts: 171
- Joined: Sun Jan 29, 2006 1:00 pm
- Location: Germany
- Contact:
Re: [Discussion] Downtime and Server Compromise
Hello,
perhaps you should use phpBB3 insteat of PHPlist for sending newsletter emails: http://www.martin-truckenbrodt.com/cgi/ ... m.php?f=13
Bye Martin
perhaps you should use phpBB3 insteat of PHPlist for sending newsletter emails: http://www.martin-truckenbrodt.com/cgi/ ... m.php?f=13
Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs
Re: [Discussion] Downtime and Server Compromise
i dont think the DEVs are going to be adding MODs to .com