Forum Bugs & Suggestions (12 Viewers)

Should we have a private forum with post restrictions (minimum posts to view)?

  • Yes please

  • No thanks

  • No, but setup a private forum for members

Results are only viewable after voting.
Status
Not open for further replies.
Marty

Marty

tuz
Administrator
#2,844
Jul 2, 2005
16,991
#2,844
enzo said:
Why doesn't the forum support SSL? It really should. Can we do something about this Marty?
Click to expand...
Sure it can, I've setup plenty of sites with SSL in the past. I would have to get a new dedicated IP (moneyz) and a SSL certificate (more moneyz) though for it to be setup properly. Too expensive for something that's not really needed IMO.

Not at this moment anyway, might look into it for Juventuz version 14 or whatever's next :p
 
swag

swag

L'autista
Administrator
#2,849
Sep 23, 2003
84,749
#2,849
Yeah, I guess who wouldn't be pissed if they reached a level 17 Janna, only to have someone steal their Scepter of Indecipherable English overnight. :frown:
 
Marty

Marty

tuz
Administrator
#2,851
Jul 2, 2005
16,991
#2,851
enzo said:
Well, it's just to easy to spy on one's password. But I understand, that this seems to be no common concern here :)
Click to expand...
Since it's so easy to spy the passwords I'll give you my permission to send me a PM with my password. You need my personal salt as well which will be pretty hard to guess, almost impossible really. Even if you knew my salt it would be difficult since MD5 hash isn't reversable.

And it's encrypted, not once, but twice with MD5.

The firewall will stop you when you try to guess the salt with brute force scripting though (only way to get it without database access) and that'll deny you through iptables (ip ban).

Should this happen you can e-mail me (martin at nathell . com) and I'll remove the ban.

If you have a few thousand available ips and a lot of time (years, really, no joke) and know what you're doing, it might be possible to get hold of it.

The easier option of course would be just to guess my password but then it doesn't matter if we're using SSL or not.

BTW I'm not trying to be an asshole, just stating that it's pretty difficult to do, at least it takes a lot of time.

Info: All accounts are double encrypted with MD5+salt, not just mine.
 
Martin

Martin

Senior Member
#2,852
Dec 31, 2000
56,913
#2,852
Marty said:
Since it's so easy to spy the passwords I'll give you my permission to send me a PM with my password. You need my personal salt as well which will be pretty hard to guess, almost impossible really. Even if you knew my salt it would be difficult since MD5 hash isn't reversable.

And it's encrypted, not once, but twice with MD5.

The firewall will stop you when you try to guess the salt with brute force scripting though (only way to get it without database access) and that'll deny you through iptables (ip ban).

Should this happen you can e-mail me (martin at nathell . com) and I'll remove the ban.

If you have a few thousand available ips and a lot of time (years, really, no joke) and know what you're doing, it might be possible to get hold of it.

The easier option of course would be just to guess my password but then it doesn't matter if we're using SSL or not.

BTW I'm not trying to be an asshole, just stating that it's pretty difficult to do, at least it takes a lot of time.

Info: All accounts are double encrypted with MD5+salt, not just mine.
Click to expand...
You don't enjoy being challenged, do you Marty? :D
 
Martin

Martin

Senior Member
#2,854
Dec 31, 2000
56,913
#2,854
So to recap. vbulletin has the hashed salt in context, then it takes your password from the input box, hashes(hashed_salt + password) and posts to the server? Sounds reasonable.

- - - Updated - - -

Actually vbulletin has been md5suming the password in js for a long time now. I'm actually surprised that a lot of other webapps aren't doing the same.
 
Marty

Marty

tuz
Administrator
#2,855
Jul 2, 2005
16,991
#2,855
Martin said:
So to recap. vbulletin has the hashed salt in context, then it takes your password from the input box, hashes(hashed_salt + password) and posts to the server? Sounds reasonable.

- - - Updated - - -

Actually vbulleting has been md5suming the password in js for a long time now. I'm actually surprised that a lot of other webapps aren't doing the same.
Click to expand...
Yup correct. I think the personal salt is updated when you change password as well.
 
Red

Red

-------
Moderator
#2,856
Nov 26, 2006
47,024
#2,856
I see that URLs aren't automatically being made into links when you post them now.

Any chance of changing that back to the way it used to be?
 
enzo

enzo

Senior Member
#2,860
May 14, 2012
2,976
#2,860
Marty said:
Since it's so easy to spy the passwords I'll give you my permission to send me a PM with my password. You need my personal salt as well which will be pretty hard to guess, almost impossible really. Even if you knew my salt it would be difficult since MD5 hash isn't reversable.

And it's encrypted, not once, but twice with MD5.

The firewall will stop you when you try to guess the salt with brute force scripting though (only way to get it without database access) and that'll deny you through iptables (ip ban).

Should this happen you can e-mail me (martin at nathell . com) and I'll remove the ban.

If you have a few thousand available ips and a lot of time (years, really, no joke) and know what you're doing, it might be possible to get hold of it.

The easier option of course would be just to guess my password but then it doesn't matter if we're using SSL or not.

BTW I'm not trying to be an asshole, just stating that it's pretty difficult to do, at least it takes a lot of time.

Info: All accounts are double encrypted with MD5+salt, not just mine.
Click to expand...
I was thinking of people accessing the forum while connected to public networks. But you are right, and have made it inevitably clear, that it's pretty hard to hack one's password. I wasn't aware of how vbulletin stores and handles password. If I get you, it's encrypted as follows: MD5(MD5(Password), Salt), right?
 
Status
Not open for further replies.

Users Who Are Viewing This Thread (Users: 0, Guests: 12)