Password in plain text!
-
Hello admins!
I just barely registered and the first thing I noticed was that my password was sent in plain text to my email. This means you're doing it wrong, and is a strong indicator to me that my password is likely stored in your database wrong as well.
Sorry for being anal, but pfSense is a piece of security software; The forums should reflect such security knowledge.
-
If i'm not completely wrong SMF 1.1.7 uses MD5 hashes when saving passwords to database.
You can crack your password if- you have powerful machine and lot of time
- complete rainbow table.
But back in OP, passwords are hashed by default.
P.S. I'm not working to pfsense
-
If i'm not completely wrong SMF 1.1.7 uses MD5 hashes when saving passwords to database.
This would provide some relief, though MD5's are incredibly outdated and nearly useless at this point (you really don't need a lot of time to crack them; it takes minutes at most). If this is true, I'd like to suggest to at least disable the sending of plain text passwords via email.
-
Well updating to more modern smf, would bring some extra safety, because passwords are salted also.
-
Updating to a newer SMF is on the agenda. We have a web dev on staff now that will be working on it. Last time the upgrade was attempted, the theme blew things up badly, and there were other issues I don't recall.
-
….. MD5's are incredibly outdated and nearly useless at this point (you really don't need a lot of time to crack them; it takes minutes at most).
Minutes at most? Can you cite a source?
-
….. MD5's are incredibly outdated and nearly useless at this point (you really don't need a lot of time to crack them; it takes minutes at most).
Minutes at most? Can you cite a source?
Please feel free to Google the numerous articles on the matter. For example, http://www.codinghorror.com/blog/2012/04/speed-hashing.html.
Given rainbow tables and the many resources available (even online for the masses!) that throw many GPUs at brute force, MD5 should never, ever, in any case, be used anymore. Hell, not even SHA-1 should be these days (AFAIK, later versions of SMF use SHA-1+salt).
As long as passwords are at least not stored in plain text and at the least SHA-1+salt where stored, it's not a huge deal for things like a forum (it would be your own fault for using the same password for say, your bank)… but sending them out in plain text simply breaks whatever else you back it with.
-
You're still mistaken about minutes at most.
As far as the forum sending your password in plaintext, how else should they send it to you and still be useful for you to log in and immediately change your password?
-
You're still mistaken about minutes at most.
You're right. Generally MD5'd only passwords can be looked up in a rainbow table and "cracked" in a matter of milliseconds.
As far as the forum sending your password in plaintext, how else should they send it to you and still be useful for you to log in and immediately change your password?
They shouldn't. Plain and simple.
-
At account creation, I just set (and verified) my password. Don't send it.
-
If I need a password reset, send me a email with a password reset link.
That's it. This is common and secure. There is nothing to invent.
-
-
Given rainbow tables and the many resources available (even online for the masses!) that throw many GPUs at brute force, MD5 should never, ever, in any case, be used anymore. Hell, not even SHA-1 should be these days (AFAIK, later versions of SMF use SHA-1+salt).
SMF 1.1.17 (the used version which was released mid December 2012) is also using SHA-1 with the username as salt.
Btw: Most hashing algorithms are "vulnerable" to rainbow tables, this is not MD5 specific at all. However using a long enough salt renders those tables ineffective. The main reason for MD5 being considered compromised is due to its collision vulnerabilities.
-
Of course, I use different passwords for my bank login, paypal login and other actually important stuff. For forums I need to be practical and not have a different password for every forum! When I register with a new forum, and it asks me to type a password of my own choosing during the registration process, then I definitely do not want it to send me my password in plain text in a welcome/activation message - I already know the password I typed and do not want it to appear in plain text anywhere.
When this happens to me on a new forum, I then feel like I will have to start using a new password on all the forums - a big bother to do all the changes!
Is it possible to modify the behaviour of the current forum system to do one of these (best to worst option):
a) do not send the password in the welcome/activation message; or
b) do not ask for a password at signup, send the new user a generated password and make them change it as they activate; or
c) at least, put a warning prominently on the signup page to say "the password you enter here will be emailed to you in plain text, so use a temporary password here, and change it when you receive your activation email". -
a)
Edit Login.english.php (Themes\default\languages) and modify the default welcome messages to not contain the password.$txt['register_immediate_message'] $txt['register_activate_message'] $txt['register_pending_message'] -
[troll]
What? You mean you don't run mandatory TLS on your mail server? ;D
[/troll]
-
If you're using a password on web forums that's in any way important, you're doing it wrong. Even sharing between multiple unimportant sites is doing it wrong, use Lastpass or something similar.
We don't write the forum software, it does what it's written to do. SMF has the best security track record of any forum software out there that I've seen, it's why we started with it and continue to use it. In stark contrast to others like phpBB that have horrid security track records. Passwords are not stored in clear text.
I modified its source to not send passwords in email anymore. Why people care that your password goes over email in plain text, and not that it's going over HTTP in plain text every time you log in, I don't know, but I've heard enough "OMG you guys are supposed to know security, don't email my password!" that I changed it.
-
@cmb:
but I've heard enough "OMG you guys are supposed to know security, don't email my password!" that I changed it.
The same people probably enter their pin code to their debit card at just any gas station though… ::)
-
@cmb:
If you're using a password on web forums that's in any way important, you're doing it wrong. Even sharing between multiple unimportant sites is doing it wrong, use Lastpass or something similar.
Absolutely.
@cmb:
I modified its source to not send passwords in email anymore. Why people care that your password goes over email in plain text, and not that it's going over HTTP in plain text every time you log in, I don't know, but I've heard enough "OMG you guys are supposed to know security, don't email my password!" that I changed it.
Awesome, thank you :D
Oh, and believe me, I care that it's non-TLS as well, but baby steps! Emails are of greater importance IMO due to commonly being archived and stored indefinitely on who knows what server(s). At least in the case of HTTP one must sniff traffic.
-
MD5 hashes need not be broken, just make up other words that have the same md5 and then use them as passwords!
http://wordd.org/67173F5E47E51642F9F7C7D22B0187AA
MD5 Collision can be used:
http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities
http://cryptography.hyperlink.cz/MD5_collisions.html
http://cryptography.hyperlink.cz/2006/program_v1_pd.zip
http://stackoverflow.com/questions/933497/create-your-own-md5-collisions
