Advertisement:

Author Topic: [MOD] [PENDING] Password security  (Read 33123 times)

Offline Sorunome

  • Semi-Newbie
  • *
  • Posts: 30
    • Sorunome on GitHub
Re: [MOD] [WIP] Password security
« Reply #20 on: December 12, 2015, 04:54:49 AM »
Actually, it'll work on PHP 5.3.7+

See the Requirements section of https://github.com/ircmaxell/password_compat#requirements
Thanks, but I backported it. Via that website linked in my previous post I successfully tested it in 4.4.9

Offline Sorunome

  • Semi-Newbie
  • *
  • Posts: 30
    • Sorunome on GitHub
Re: [MOD] [WIP] Password security
« Reply #21 on: December 14, 2015, 03:55:22 PM »
Added licence and stuff now, mod is now pending.
https://github.com/Sorunome/SMF-bcrypt

EDIT: Ok, I don't seem to be able to edit the first post anymore, so a mod mind turning that [WIP] to [PENDING]? Or did I understand it wrong and that is not mine to decide?

Offline Príncipe_Azul

  • Full Member
  • ***
  • Posts: 614
  • Gender: Male
  • Colaborador
    • Foro ArgentinaIRC - Programación General, Informática, IRC y mIRC Scripting
Re: [MOD] [PENDING] Password security
« Reply #22 on: December 19, 2015, 07:34:26 AM »
Hello Sorunome, I want to thank you for the work we're taking you to create and perfect the mod security is going to be quite useful and will enhance security of SMF, I hope and I wish that you try the mod so you can use to strengthen our forums with this new cipher.

Perhaps SMF release a version for the branch 2.0.* And there could be this new method of encryption, but the idea was yours!

Sorunome thank you very much for helping to draft SMF, I send you a hug and every success !! :) :)
Foro ArgentinaIRC - Ayuda de Programación General, Informática, IRC y mIRC Scripting.

Foro de Artesanías, Recetas de cocina, Ropa para perros, Tejidos, Bijouterie, Porcelana, Chocolatería, Fondos de pantalla, Noticias, Belleza, Medicina natural, Videos y Programas: http://www.MisArtesanias.net/

Offline Diego Andrés

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 3,059
  • Gender: Male
  • We know, we'll be coming
    • DiegoCortes on GitHub
    • @comeladrillos on Twitter
    • SMF Tricks - Free & Premium Themes
Re: [MOD] [PENDING] Password security
« Reply #23 on: December 21, 2015, 02:56:55 PM »
Hello Sorunome, I want to thank you for the work we're taking you to create and perfect the mod security is going to be quite useful and will enhance security of SMF, I hope and I wish that you try the mod so you can use to strengthen our forums with this new cipher.

Perhaps SMF release a version for the branch 2.0.* And there could be this new method of encryption, but the idea was yours!

Sorunome thank you very much for helping to draft SMF, I send you a hug and every success !! :) :)

This is already in SMF 2.1, and I don't think it will be included in SMF 2.0.x
Maybe you missed this reply
First and foremost --  SMF does not "receive such horrible security"
SMF has one of the BEST security records out of ALL forum script softwares.


second -- sha1 is not a bad method to hash/encrypt -- many systems use it.   However, realize that SMF 2.0 is several years old at this point, and sha1 was definitely a good selection when it was made.  The change to bcrypt for 2.1 is intentional because, yes, it is considered more secure... but sha1 is not "insecure"

SMF Tricks - Free & Premium Responsive Themes for SMF.

Offline Deprecated

  • SMF Hero
  • ******
  • Posts: 3,499
Re: [MOD] [PENDING] Password security
« Reply #24 on: March 19, 2016, 07:44:38 PM »
I have only a few ideas, opinions and suggestions to offer.

First, any password can be cracked by simply throwing every possible combination of allowed characters at an account. Of course the primary defense against this is the N attempts then lock out for X time duration. It is impossible to control the intelligence/stupidity of forum members using the same password at multiple sites. I call these people fools. Myself, I have a major major problem because I have hundreds of passwords for hundreds of sites. I firmly believe in never reusing passwords. As a forum operator you should select the highest forum security setting to force members to at least take advantage of the best that SMF has to offer. Also remember to force members to hide email addresses in their profiles.

Second, after reading the arguments and particularly the implied support of strengthening the system vis a vis SMF 2.1 using a new, improved password system, I think back porting SMF 2.1's password system as a mod for SMF 2.0 is an EXCELLENT idea for a modification package. Most of your design work is already done! There are a few practical concerns though.

I am not aware of any practical way to retrieve user passwords from an existing 2.0 database, so after installing the mod all your members will have to reactivate their accounts by means of the lost password method. This is problematic because forum members being the creatures they are, many of them will have changed ISPs and thus lost access to the email account used to register. Be prepared for a major problem getting existing forum members hooked up to their accounts again.

Depending on your database setup, you should ensure that it cannot be accessed from outside your security zone. In my case my shared host puts their MySQL servers behind a firewall that prevents direct connections from the Internet. I always install my own phpMyAdmin on my servers rather than using the one provided by the host, so I am not familiar with SMF's capabilities for exporting a database from the admin panel. If so, it should be disabled. The way you can do this and prevent an intruder with the admin pass from simply re-enabling it is to install the mod and delete it once installed. You can easily recover from this via FTP by simply FTPing the package back to the /Packages directory, and then it could be easily removed.

Everything considered the mod package porting the SMF 2.1 password system is as I said an excellent idea, outside of the practicality of re-authenticating your members. If it were on the mod site right now with the Customization Team's approval I'd install it right now, because I am in the final stages of pre-launch of my production phase and only staffers and beta testers are registered. I think it would be nearly impossible to upgrade a very large forum that has existed for a long time because of the email address problem I described above.

In closing, I can't quote a source but I've been reading comments posted by developers and other SMF staff that SMF 2.0 is in a final phase where only bugs and vulnerabilities are being fixed. It would be very unlikely to find 2.1's system ported to 2.0 by the developers particularly because of the lost email problem would make it impractical to include it in the main stream, and IMO the developers have their hands full writing 2.1 while keeping 2.0 safe, so the idea of a fork seems unlikely to me too. For that reason this mod would be much better suited as a mod package thus allowing individual forum operators to make the decision for themselves whether their forum is suited for the upgrade.

So I think you should go for it and write the mod and submit it to the Customization Team for official approval, and I think it would be an excellent mod package for forums in a position to deploy it.

Offline Sorunome

  • Semi-Newbie
  • *
  • Posts: 30
    • Sorunome on GitHub
Re: [MOD] [PENDING] Password security
« Reply #25 on: June 09, 2016, 12:07:07 PM »
I am not aware of any practical way to retrieve user passwords from an existing 2.0 database, so after installing the mod all your members will have to reactivate their accounts by means of the lost password method. This is problematic because forum members being the creatures they are, many of them will have changed ISPs and thus lost access to the email account used to register. Be prepared for a major problem getting existing forum members hooked up to their accounts again.
That is why I hooked the sha1-password checking (SMF 2.0 way) into that piece of code which also allows you to verify passwords from like phpBB imports - if the bcrypt password hash (SMF 2.1) fails, it tries multiple different hashing methods. That isn't a security risk as the algs are different anyways and the resulting hash lengths different, so it's impossible for one password in one hash have the same hash from another algo.
Quote
Everything considered the mod package porting the SMF 2.1 password system is as I said an excellent idea, outside of the practicality of re-authenticating your members. If it were on the mod site right now with the Customization Team's approval I'd install it right now, because I am in the final stages of pre-launch of my production phase and only staffers and beta testers are registered. I think it would be nearly impossible to upgrade a very large forum that has existed for a long time because of the email address problem I described above.
I am using this mod on two production sites, then again, fI am not an official SMF person who verified this.
Quote
So I think you should go for it and write the mod and submit it to the Customization Team for official approval, and I think it would be an excellent mod package for forums in a position to deploy it.
I thought making a thread here was waiting for official approval stuff?

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,119
  • Gender: Male
    • Kindred-999 on GitHub
Re: [MOD] [PENDING] Password security
« Reply #26 on: June 09, 2016, 06:28:28 PM »
no....  this is for developers to chat and get input on betas....   the official team does not review/approve content unless it is subitted as a mod to the mod site
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Woraphat

  • Semi-Newbie
  • *
  • Posts: 65
Re: [MOD] [PENDING] Password security
« Reply #27 on: June 14, 2016, 06:25:35 AM »
This is not a lifesaver but I find it helps me to feel more secure:
  As an admin on some SMF forums, I always select for myself a user name that is not my displayed name.  No reason to make things any easier for those wanting to crack my account.  I also change that non-displayed user name from time to time.

So far, my error logs have not shown anyone trying to log in as one of my displayed names but I prefer to be a little more safe by doing things this way.

Offline oOo--STAR--oOo

  • Full Member
  • ***
  • Posts: 645
  • Perfectionist
    • Developing Uniquez
Re: [MOD] [PENDING] Password security
« Reply #28 on: January 26, 2017, 06:46:32 PM »
Thanks for taking the time out to address an issue and create a mod for it. Is anyone going to attempt to approve it?
You can't fool a sufficiently talented fool.

http://www.uniquez-home.com
In Design Phase!

Mods I am designing,  No refresh Collapse Categories , Poll Redesign , Pure CSS Breadcrumb , Profile Statuses, Profile Views.

Offline nend

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,755
  • 2 deep n2 the code
    • sicommnend on GitHub
    • SIComm.us
Re: [MOD] [PENDING] Password security
« Reply #29 on: January 26, 2017, 08:45:26 PM »
Topic marked solved.

Thanks for taking the time out to address an issue and create a mod for it. Is anyone going to attempt to approve it?

Don't know what happened, either it wasn't approved or the author removed it, so it's not in our que.

Offline oOo--STAR--oOo

  • Full Member
  • ***
  • Posts: 645
  • Perfectionist
    • Developing Uniquez
Re: [MOD] [PENDING] Password security
« Reply #30 on: January 26, 2017, 09:22:38 PM »
I think this would be very useful for 2.0. Since 2.1 is not ready yet. Is there anyway to get this approved now? Because there is no copyright and the mod doesn't seem to be around its stale now I guess?

It is already packaged up on github. Can it not be added to a queue as I do feel that was their intentions.
You can't fool a sufficiently talented fool.

http://www.uniquez-home.com
In Design Phase!

Mods I am designing,  No refresh Collapse Categories , Poll Redesign , Pure CSS Breadcrumb , Profile Statuses, Profile Views.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,119
  • Gender: Male
    • Kindred-999 on GitHub
Re: [MOD] [PENDING] Password security
« Reply #31 on: January 26, 2017, 09:46:41 PM »
Why would it be very useful?   It's not like sha1 is insecure...
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Linkjay

  • Jr. Member
  • **
  • Posts: 206
  • Gender: Male
  • eh
    • My Homepage.
Re: [MOD] [PENDING] Password security
« Reply #32 on: January 26, 2017, 10:29:42 PM »
Why would it be very useful?   It's not like sha1 is insecure...

I agree. I don't see how sha1 is insecure at all. The only true and somewhat-efficient method I know of cracking a password is offline brute force. This would require hacking X forums' database and stealing the hashes and salts which is, of course, difficult if X forums' database is secure.
I play games in my free time and volunteer my knowledge and support to the gaming communities of the internet.

You can contact me by these methods:
Use my Contact Script • PM me here • Add me on Steam

Offline oOo--STAR--oOo

  • Full Member
  • ***
  • Posts: 645
  • Perfectionist
    • Developing Uniquez
Re: [MOD] [PENDING] Password security
« Reply #33 on: January 26, 2017, 10:43:36 PM »
Why would it be very useful?   It's not like sha1 is insecure...

As stated by the OP bycrypt is slower.

Quote
"Speed is exactly what you don’t want in a password hash function."

If SHA1 is good enough then why change it in 2.1? i mean why waste time doing this if its pointless. How long did it take to code?

I don't see how people can be against something that information shows is better.

We all know we should protect our databases, but databases are being compromised all the time. Why make things easier for people?
You can't fool a sufficiently talented fool.

http://www.uniquez-home.com
In Design Phase!

Mods I am designing,  No refresh Collapse Categories , Poll Redesign , Pure CSS Breadcrumb , Profile Statuses, Profile Views.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,119
  • Gender: Male
    • Kindred-999 on GitHub
Re: [MOD] [PENDING] Password security
« Reply #34 on: January 27, 2017, 12:07:52 AM »
you have missed the point,

Why change it? Because it is true that bcrypt is "better", in the respect that it would indeed take longer to brute force the password out.  And I never called it a waste of time for us to make the change on the next version. However, that does not mean that sha1 is NOT secure... or that your should immediately go out and convert your database.
As a matter of fact, doing a conversion now might make it more difficult for you to go to 2.1 when it is ready.

If the issue was THAT critical, we would have forced the change into 2.0.x, since we take smf security very seriously.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline oOo--STAR--oOo

  • Full Member
  • ***
  • Posts: 645
  • Perfectionist
    • Developing Uniquez
Re: [MOD] [PENDING] Password security
« Reply #35 on: January 27, 2017, 12:27:01 AM »
you have missed the point,

Why change it? Because it is true that bcrypt is "better", in the respect that it would indeed take longer to brute force the password out.  And I never called it a waste of time for us to make the change on the next version. However, that does not mean that sha1 is NOT secure... or that your should immediately go out and convert your database.
As a matter of fact, doing a conversion now might make it more difficult for you to go to 2.1 when it is ready.

If the issue was THAT critical, we would have forced the change into 2.0.x, since we take smf security very seriously.

That's your opinion as to which I have mine. The mod is useful. I would like it reviewed. That was my only request.
Don't care about opinions that are not relevant to my query.
You can't fool a sufficiently talented fool.

http://www.uniquez-home.com
In Design Phase!

Mods I am designing,  No refresh Collapse Categories , Poll Redesign , Pure CSS Breadcrumb , Profile Statuses, Profile Views.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,119
  • Gender: Male
    • Kindred-999 on GitHub
Re: [MOD] [PENDING] Password security
« Reply #36 on: January 27, 2017, 01:08:29 AM »
I see that you have embraced the "facts don't matter to me, because they contradict my opinion" party....   you have your opinion and I have the facts.

The fact is, the mod only would get reviewed if and when it is submitted to the mod site.
As a first glance at the concept, I would guess that it would be rejected for the reason I specified above.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Sorunome

  • Semi-Newbie
  • *
  • Posts: 30
    • Sorunome on GitHub
Re: [MOD] [PENDING] Password security
« Reply #37 on: January 27, 2017, 03:14:51 AM »
Hey, this isn't in the mod queue because...
Quote
smf-bcrypt.tar.gz.
database.php unused global $modSettings
Version different in install.xml and package-info.xml

smf-bcrypt-tapatalk.tar.gz
Version different in install.xml and package-info.xml
Commented code in install.xml for LogInOut that causes packman to fail.
And I didn't get around to fix that and anyone could just install from the repo...

Offline nend

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,755
  • 2 deep n2 the code
    • sicommnend on GitHub
    • SIComm.us
Re: [MOD] [PENDING] Password security
« Reply #38 on: January 27, 2017, 09:29:57 AM »
Hey, this isn't in the mod queue because...
Quote
smf-bcrypt.tar.gz.
database.php unused global $modSettings
Version different in install.xml and package-info.xml

smf-bcrypt-tapatalk.tar.gz
Version different in install.xml and package-info.xml
Commented code in install.xml for LogInOut that causes packman to fail.
And I didn't get around to fix that and anyone could just install from the repo...

Those are some very minor issues, did you want to resubmit a fix to the mod site?

If not I will go ahead and close the topic and if you wish to continue the process at a later time, just shoot me a PM and I'll go ahead and reopen the topic.

Offline oOo--STAR--oOo

  • Full Member
  • ***
  • Posts: 645
  • Perfectionist
    • Developing Uniquez
Re: [MOD] [PENDING] Password security
« Reply #39 on: January 27, 2017, 09:41:19 AM »
Hey, this isn't in the mod queue because...
Quote
smf-bcrypt.tar.gz.
database.php unused global $modSettings
Version different in install.xml and package-info.xml

smf-bcrypt-tapatalk.tar.gz
Version different in install.xml and package-info.xml
Commented code in install.xml for LogInOut that causes packman to fail.
And I didn't get around to fix that and anyone could just install from the repo...


Ooo so you are still around :D. Good to see. Great work btw, thanks for taking the time out to create this mod.
I am very sure it will be useful to me and many others.
So what needs doing exactly? Are the changes you proposed that need doing on Github?

If you need any help give me a shout!
You can't fool a sufficiently talented fool.

http://www.uniquez-home.com
In Design Phase!

Mods I am designing,  No refresh Collapse Categories , Poll Redesign , Pure CSS Breadcrumb , Profile Statuses, Profile Views.