11
Peekay
Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1
  • 2012/9/8 13:07

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


If Wishcraft's file changes improve security that's great, but I think the moderator should change the title of this thread to ensure Xoops users understand that it is optional. At present, it looks like a core-team security alert, which it is not.
A thread is for life. Not just for Christmas.

12
Mamba
Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1
  • 2012/9/8 15:06

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


Good point, Peekay. Done.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

13
Anonymous
Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1
  • 2012/9/8 16:15

  • Anonymous

  • Posts: 0

  • Since:


Quote:
This stuff is inaccessible unless someone hacks into your database.


It is very plausible a hacker can get a database dump without using a Xoops weakness. A hoster can get hacked, a laptop containing backups can get stolen or a webmaster can be carelessly with his own login credentials.

When an employe in my company loses his login credentials he can call the helpdesk. You get a friendly engineer suggesting he can reset your password, the new password is instantly given to you by phone... But how can this friendly engineer be sure I am the person I am telling him I am?

14
Peekay
Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1
  • 2012/9/8 20:19

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Quote:
...You get a friendly engineer suggesting he can reset your password, the new password is instantly given to you by phone...

Well, that certainly is a pretty dumb thing for them to do. Do they have a suggestion box?
A thread is for life. Not just for Christmas.

15
Anonymous
Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1
  • 2012/9/8 22:48

  • Anonymous

  • Posts: 0

  • Since:


Quote:
Well, that certainly is a pretty dumb thing for them to do. Do they have a suggestion box?


It's just an example of how security can be compromised, and in this case I can tell out of my own experience... Point I'd like to make is you have to make a security system as save as can be. And please make it fool prove, as humans make stupid mistakes. Using the name of a child, wife or name of the street one lives in is still common behavior.

16
irmtfan
Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1
  • 2012/9/9 1:53

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


my points:

1- in a live website if i care about security i will install protector and then nobody can do a brute force to find the passwords. therefore we just have problems when the hacker use a non xoops method to access my database like server hacking or stole my laptop, ...

2- i want my users to be convenient and use a password with their own risk. they can use even 123. i will suggest and recommend them to use harder passwords but my website should be user-friendly and i dont want to lose a user by forcing him to use a hard password to protect my website.

3- using a salt password will guarantee my website security while my users have their own simple passwords.

4- salt password can be store in database and not in files.

5- salt password can be change randomly for each user. you can make it very hard and very very secure.
We can randomize the hashes by appending or prepending a random stringcalled a saltto the password before hashing. As shown in the example abovethis makes the same password hash into a completely different string every timeTo check if a password is correctwe need the saltso it is usually stored in the user account database along with the hash, or as part of the hash string itself.

http://crackstation.net/hashing-security.htm

6- implementation of a salt password hash system in xoops core could be done with very less hack in the current system.

Login

Who's Online

227 user(s) are online (156 user(s) are browsing Support Forums)


Members: 0


Guests: 227


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits