Can SMF have a "firewall" PW requirement over db's stupid PW?

[tpgames]

Can SMF program a bit of code into the new forum 2.1, such that we have a "enter ridiculously long database username and password here" that is required before we can even get to the real database and their silly "crap database username and silly password here" rules?

Does this make sense to you? I'm trying to build a fence around cPanel's insecure database rules.
Thanks! It is okay if this is not possible. It's not like I'm paying you guys.

MOD: Please move this to the right area, if this wrong. I'm still stressed and can't find a better area. Thanks!

[Kindred]

In short no.

Quite honestly, I think that you have a little bit of knowledge and a lot of paranoia... neither of which is really accurate.

[Arantor]

Definitely no.

There's nothing wrong with cPanel's default rules.

Besides anyone that can get onto the server in the manner where they would be able to talk to the server can already just look up the password in the Settings.php file because they're already on the server.

[tpgames]

Thats fine. I wasn't sure.

Concerning paranoia? My cracker literally changed data on two files that were NOT on the forum! I was cracked by a pro and did change passwords. This cracker, I know for a fact uses a code and several browsers that uses multiple languages. Its not difficult to crack a database password that bans umlauts, russian, Hebrew, etc. The only thing you can do is make the password longer, but as long as n! = 52! = 8.065817517 E+67 password possibility exist with a computer capable of going through all those passwords exist, you will be cracked. it is just a matter of when, and not if. I'd rather have less whens and more ifs. I tend to get the nutters who think they are cracking important websites with real data. Why? I have no idea! My data is not important. I am just tired of dealing with terrorist from kosovo and blackhats with a vendetta. I don't even advertise the site that gets cracked very well! And yes, I've changed my pw many many times. I get the true pros that can crack MI6, CIA, and so on.

[albertlast]

Postgresql and MySQL support non-ascii characters for password,
stop saying wrong things.

[Arantor]

If I were looking to crack your database password, I would need precisely one guess. I don't need to brute force billions of combinations.

But sure, if it makes you feel more secure, go nuts and change your password regularly. Just don't lie to people about the security implications.

Whatever you think was the cause of your hack, it certainly wasn't the database password.

[tpgames]

T35 IT person said that YOUR forum was not secure. You either believe him, or you don't. The choice is yours! I was just very frustrated because a brand new forum that was not very well advertised should not be hacked within three weeks of being put up. A cracker should not be able to change 2 index pages to what they want it to be.

Now, what do I think? I think that anyone who thinks that databases and servers aren't cracked, are not watching the real news. These things just happen. Forums go down, they are put back up. When I put up an empty folder and then made only an index page, He hacked it. I had to change all the passwords and delete the database for SMF and start over. Result? He isn't in my website anymore - for now. He might be back. All I know is that IC3 isn't too eager to investigate because I am not Target, Walmart, etc. rich business man. My ISP provider and T35 don't give a rip. No surprise there. They make money regardless. French ISP provider doesn't care either. No surprise. And, I wasn't even the only victim. At least three other people posted on this one site about brute force attacks, port attacks and bad bots from the same IP address that came to my website. Oh well, it happens. We move on. I think this matter is closed. The only solution to avoid cracking I refuse to do! I know someone who refuses internet and thinks that anyone who is "lame enough to connect to the internet is asking for trouble and asking to be cracked". He believes that PCs should be glorified typewriters. No thanks! I expect some issues and accept that part of life. Its a part of the trade off of being online. I just wish I had a little less of it from those who aren't just "here to spam you".

[Colin]

T35 IT person said that YOUR forum was not secure. You either believe him, or you don't. The choice is yours! I was just very frustrated because a brand new forum that was not very well advertised should not be hacked within three weeks of being put up. A cracker should not be able to change 2 index pages to what they want it to be.

We take security reports seriously, but no details of a genuine vulnerability have been reported.

[Kindred]

so, the fact that he "hacked" a simple index page indicates that the issue was never in SMF at all -- your SERVER had a vulnerability which he exploited - once a hacker is into your server, all the security of a script is basically useless, because he has direct access to the file system

a security vulnerability in SMF migth have allowed him to get into the server as well -- but there are no known security vulnerabilities in SMF right now - and the evidence of his actions indicates that he got in at the server level, not the script level.

of course, knowing that your host is running a seriously outdated and potentially insecure version of PHP does tend to also suggest that there is a server side issue, not a script side issue. The host can blame SMF all they want and throw  all the shade that they want -- but without actual details, all they are doing is blowing smoke.