xoops forums

Peekay

XOOPS is my life!
Posted on: 2012/9/8 13:07
Peekay
Peekay (Show more)
XOOPS is my life!
Posts: 2335
Since: 2004/11/20
#11

Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1

If Wishcraft's file changes improve security that's great, but I think the moderator should change the title of this thread to ensure Xoops users understand that it is optional. At present, it looks like a core-team security alert, which it is not.
A thread is for life. Not just for Christmas.

Mamba

Moderator
Posted on: 2012/9/8 15:06
Mamba
Mamba (Show more)
Moderator
Posts: 10779
Since: 2004/4/23
#12

Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1

Good point, Peekay. Done.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

Anonymous

Posted on: 2012/9/8 16:15
Anonymous
Anonymous (Show more)
Posts: 0
Since:
#13

Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1

Quote:
This stuff is inaccessible unless someone hacks into your database.


It is very plausible a hacker can get a database dump without using a Xoops weakness. A hoster can get hacked, a laptop containing backups can get stolen or a webmaster can be carelessly with his own login credentials.

When an employe in my company loses his login credentials he can call the helpdesk. You get a friendly engineer suggesting he can reset your password, the new password is instantly given to you by phone... But how can this friendly engineer be sure I am the person I am telling him I am?

Peekay

XOOPS is my life!
Posted on: 2012/9/8 20:19
Peekay
Peekay (Show more)
XOOPS is my life!
Posts: 2335
Since: 2004/11/20
#14

Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1

Quote:
...You get a friendly engineer suggesting he can reset your password, the new password is instantly given to you by phone...

Well, that certainly is a pretty dumb thing for them to do. Do they have a suggestion box?
A thread is for life. Not just for Christmas.

Anonymous

Posted on: 2012/9/8 22:48
Anonymous
Anonymous (Show more)
Posts: 0
Since:
#15

Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1

Quote:
Well, that certainly is a pretty dumb thing for them to do. Do they have a suggestion box?


It's just an example of how security can be compromised, and in this case I can tell out of my own experience... Point I'd like to make is you have to make a security system as save as can be. And please make it fool prove, as humans make stupid mistakes. Using the name of a child, wife or name of the street one lives in is still common behavior.

irmtfan

Module Developer
Posted on: 2012/9/9 1:53
irmtfan
irmtfan (Show more)
Module Developer
Posts: 3419
Since: 2003/12/7
#16

Re: XOOPS 2.5 - Optional Password Security Patch - v1.0.1

my points:

1- in a live website if i care about security i will install protector and then nobody can do a brute force to find the passwords. therefore we just have problems when the hacker use a non xoops method to access my database like server hacking or stole my laptop, ...

2- i want my users to be convenient and use a password with their own risk. they can use even 123. i will suggest and recommend them to use harder passwords but my website should be user-friendly and i dont want to lose a user by forcing him to use a hard password to protect my website.

3- using a salt password will guarantee my website security while my users have their own simple passwords.

4- salt password can be store in database and not in files.

5- salt password can be change randomly for each user. you can make it very hard and very very secure.
We can randomize the hashes by appending or prepending a random stringcalled a saltto the password before hashing. As shown in the example abovethis makes the same password hash into a completely different string every timeTo check if a password is correctwe need the saltso it is usually stored in the user account database along with the hash, or as part of the hash string itself.

http://crackstation.net/hashing-security.htm

6- implementation of a salt password hash system in xoops core could be done with very less hack in the current system.