Jump to content
Sign in to follow this  
Murder1

Atomic passwords - stored in plaintext?

Recommended Posts

http://community.invisionpower.com/resourc...in-ipboard-r501

 

IP.Board stores members' passwords as a salted hash. Both the hash and the salt are stored in the database in the members table as members_pass_hash and members_pass_salt, respectively.

BAM.

This only proves my point, if I can retrieve my password that means that the forum software is clearly not using a salted hash.

 

"In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function." First line - http://en.wikipedia.org/wiki/Salt_(cryptography)

Edited by Murder1

Share this post


Link to post
Share on other sites

That's your favourite site?

Sheesh, you need to get outside a bit more fella.

I was a bit lax there :) I should have pointed out its my favourite site for mocking the paranoid amongst us.

Share this post


Link to post
Share on other sites

http://community.invisionpower.com/resourc...in-ipboard-r501

 

IP.Board stores members' passwords as a salted hash. Both the hash and the salt are stored in the database in the members table as members_pass_hash and members_pass_salt, respectively.

BAM.

This only proves my point, if I can retrieve my password that means that the forum software is clearly not using a salted hash.

 

"In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function." First line - http://en.wikipedia.org/wiki/Salt_(cryptography)

 

If it was a one-way hash you nor anyone else would be able to (at this state of technology) be able to retrieve the password.

 

If you could not retrieve the password then you would not be here to complain about a standard practice for most multi-user on-line software.

 

As already mentioned... either don't use the same password for each service,

 

Or keep levels of passwords so you can separate critical from not critical resources e.g use a password for all the forums you visit, don't use it for online banking.

Share this post


Link to post
Share on other sites

That's fair, but in all honesty I think we're a low priority target. We don't keep address details, nor financial details.

This may ONLY be a small forum on the net, but with the Trusted Trader section home delivery addresses and banking details I'm sure will be in a lot of peoples PM inboxes.

Now I can delete what others send me but what I send them will still be in their PM inbox and I can't control it. How many bother cleaning their PM box?

 

So OP (and now I) has legit concern.

 

 

I saw a video not long ago (embedded below) talking about this sort of stuff and got a little interested. So my comments below are based on that and the little bit of reading I did afterwards. So might be inaccurate.

 

It doesn't mean it's stored in plain-text. It means it's not salted.

It is most likely reversibly encrypted, which means that access to the database alone via something like an sql attack shouldn't give you the cleartext passwords.

TBH, it's probably safer than if it's a weak salted password, such as an md5 digest, in that case.

Yes if it GIVES you the original password it means it's reversible encryption thus anyone with the right permissions on the system can retrieve your account password (sys admins etc). It is effectively in plain text to those with access.

 

A weak salted MD5 password would still be preferable I think. Reversible encryption means that the encryption method doesn't matter, as with the right access it can be retrieved. Hackers would just go after the access rights not the database itself. Salted MD5 would require brute force, and that, for this site, most hackers probably wouldn't think worth the time/effort.

 

 

http://community.invisionpower.com/resourc...in-ipboard-r501

 

IP.Board stores members' passwords as a salted hash. Both the hash and the salt are stored in the database in the members table as members_pass_hash and members_pass_salt, respectively.

This only proves my point, if I can retrieve my password that means that the forum software is clearly not using a salted hash.
You are correct. If it's retrieving your actual password it's not salted.

 

Here's a good video going into a bit more depth about hashing and salts. Quite informative.

Start from the 37 minute mark:

 

More info

 

 

If it was a one-way hash you nor anyone else would be able to (at this state of technology) be able to retrieve the password.

 

If you could not retrieve the password then you would not be here to complain about a standard practice for most multi-user on-line software.

One way hashing just means when a password is lost you re issue a new one. You don't want to recover the old one.

 

Many, many websites when you use the lost password feature just issue you a randomly generated new password, not tell you what your old one was. I don't think I'd call retrieval a standard practice (for websites).

Share this post


Link to post
Share on other sites

That's fair, but in all honesty I think we're a low priority target. We don't keep address details, nor financial details.

This may ONLY be a small forum on the net, but with the Trusted Trader section home delivery addresses and banking details I'm sure will be in a lot of peoples PM inboxes.

Now I can delete what others send me but what I send them will still be in their PM inbox and I can't control it. How many bother cleaning their PM box?

 

Yeah, but the trading thing is an entirely community-driven exercise. We're not involved with it, and it's always been an 'at own risk' venture.

Share this post


Link to post
Share on other sites

That's fair, but in all honesty I think we're a low priority target. We don't keep address details, nor financial details.

This may ONLY be a small forum on the net, but with the Trusted Trader section home delivery addresses and banking details I'm sure will be in a lot of peoples PM inboxes.

Now I can delete what others send me but what I send them will still be in their PM inbox and I can't control it. How many bother cleaning their PM box?

 

Yeah, but the trading thing is an entirely community-driven exercise. We're not involved with it, and it's always been an 'at own risk' venture.

 

"Caveat emptor" is the term used in the FAQ and is specific to the buyer not the seller whom gives the buyer bank/paypal etc details. Skimming over the FAQ, apart from the aforementioned I can't see anything resembling "Use Trade Mart at your own risk". You don't guarantee anything either (apart from absolving Haymarket et al from resolving disputes) so it's a little ambiguous.

 

And you promote in the payment guidelines the use of PMs for info transactions.

"Contact the seller via PM, and ask for their full name, current address and email, current home phone and mobile 'phone number."

 

I'm alright with all this though, just wanted to add info to the thread.

 

The main issue is time/effort/money vs risk/benefit of fixing this website vulnerability. You've pointed out that the risk/benefit is low enough to not worry about and outweighs any time/effort/money required to fix the issue. So everyone will have to be content with that.

Share this post


Link to post
Share on other sites

Ah, you mean this. Section 5A.

 

Perhaps throw a link to that up in the Trademart FAQ? And point out "use at own risk". I can't see a way to get to it directly via the forums. Have to bail to the website to find it.

Although just found it is linked to in the regular forum FAQ but if one's reading the trade mart FAQ they likely won't think to go in there and click links.

Edited by mark84

Share this post


Link to post
Share on other sites

It still wouldn't matter if they were encrypted, as long as the forum login doesn't use SSL the would be hacker could still get your password as it's transmitted to the server!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×