FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Is this something frihost should be worried about.





truespeed
PhpBB is no longer supporting phpbb2,full explanation as to why is in the link,as frihost is using and will remain using the phpbb2 software,should frihost be worried about forum security?

Quote:
phpBB3 uses a complex hashing algorithm in order to prevent someone from determining the plaintext value of a password. phpBB2, however, used a much simpler and less secure md5 algorithm to store passwords. This is one of the many reasons why we have decided to no longer support the phpBB2 software. Because hashes cannot be reversed


Link
Bondings
This means that if our database is hacked, that a rainbow table (a database containing all the hashes of all possible passwords) can be used to retrieve the passwords. Meaning that if you have an easy password, it can easily be retrieved. If your password has more than 8 characters, especially if you use special characters, it is extremely hard to retrieve it this way since the rainbow table would need to be extremely big.

So no, this isn't really a big problem. And I was already thinking about switching myself to a better hashing sytem.
nivinjoy
So lets hope for the best and it is good to hear that Frihost would never go down...!!! Live long Frihost...!!!
nolimitcare
why not just upgrade to phpbb3 ? i mean its cleaner, and many modifications to phpbb2 are there by default on a fresh phpbb3 installation, a database backup for a site the size of frihost would probably take no more then a day or two. and i know the developers of phpbb would be glad to assist me or a friend in upgrading from phpbb2 to phpbb3 ... Smile
Hogwarts
Bondings wrote:
So no, this isn't really a big problem. And I was already thinking about switching myself to a better hashing sytem.


Howww? That's not possible Sad

You'd need to unhash/hash every single password in the database Neutral

Bondings wrote:
rainbow table

I can't think of a legitimate reason for somebody to know about rainbow tables Shocked

nolimitcare wrote:
why not just upgrade to phpbb3 ? i mean its cleaner, and many modifications to phpbb2 are there by default on a fresh phpbb3 installation, a database backup for a site the size of frihost would probably take no more then a day or two. and i know the developers of phpbb would be glad to assist me or a friend in upgrading from phpbb2 to phpbb3 ...

Frihost has been 'too modified' to upgrade (Although given Frihost's potential market value, it's silly not to be upgraded.

You can find a complete compendium of reasons, however, on the suggestions board.
AftershockVibe
Hogwarts wrote:
Howww? That's not possible Sad

You'd need to unhash/hash every single password in the database Neutral


No, you just wait until someone logs in. Hash the password entry with the old hash, if it's valid store the new one. After a few months, deactivate the unused accounts which haven't been updated.

Hogwarts wrote:
rainbow table
I can't think of a legitimate reason for somebody to know about rainbow tables Shocked


Because you can't defend against the unknown?
Bondings
@Hogwarts, iIt's entirely possible to switch to a better hashing system. Considering it is done when upgrading to phpbb3, it can be done here too.

About the hashing/unhashing, what you forgot about it, is that you don't need to unhash the hashed passwords at all. The easiest solution is to take the current hashes, put some salt (random characters, different per password) behind it and then hash the complete thing again with a better (or the same) hashing algorithm.

And about Rainbow tables, you need to know how people try to circumvent your security measures.
Hogwarts
I can't say that's the best way to go about this. AftershockVibe's method does sound better; as the level of security a password would have would be equal to salt + password. Your proposed method means that the brute force simply would need to account for

2[]['/sb3*#/sa.' [a-f0-9]{32}

which has vastly less possible combinations than a well chosen password (the preceding characters are just example-text). Conversely, if they'd gained access to the MySQL database they'd probably have the capability to put a password-logger in the authentication form or even a packet sniffer on the servers Frihost accesses the Internet through, thus rendering all other advanced security measures useless.


Aftershockvibe wrote:
Because you can't defend against the unknown?

You don't specifically defend against rainbow tables regardless; they're hardly an 'exploit' and thus can't effectively be 'defended' against (unless, of course, one is intelligent enough to provide readily available hashes of all their user's passwords). As long as one knows of the potentiality of a hashing process being reversed, that should be aptly sufficient to do so.
xalophus
Hogwarts wrote:
Bondings wrote:
So no, this isn't really a big problem. And I was already thinking about switching myself to a better hashing sytem.


Howww? That's not possible Sad

You'd need to unhash/hash every single password in the database Neutral

Are you sure it couldn't be done any other way ?
How does the phpBB2->phpBB3 built-in upgrade handle this change ?

Hogwarts wrote:
Bondings wrote:
rainbow table

I can't think of a legitimate reason for somebody to know about rainbow tables Shocked

Ooh ! the unspeakable you-know-what tables !
You seem to know about them. Illegitimate much ?
On a side note, do you know about nuclear weapons ?
Hogwarts
xalophus wrote:
Hogwarts wrote:
Bondings wrote:
So no, this isn't really a big problem. And I was already thinking about switching myself to a better hashing sytem.


Howww? That's not possible Sad

You'd need to unhash/hash every single password in the database Neutral

Are you sure it couldn't be done any other way ?
How does the phpBB2->phpBB3 conversion handle this change ?

That wouldn't be a switch to a better hashing system. That would be rehashing; not a switch. In addition, it would be less secure than a well chosen password alongside a decent type of hashing.

xalophus wrote:
Hogwarts wrote:
Bondings wrote:
rainbow table

I can't think of a legitimate reason for somebody to know about rainbow tables Shocked

Ooh ! the unspeakable you-know-what tables !
You seem to know about them. Illegitimate much ?
On a side note, do you know about nuclear weapons ?

I'm not going to rule out Bondings knowing about weapons that the human race is yet to discover; however, no, I do not know about nuclear weapons.

Also, I went through the phase of absolute interest in that category things last year; although I've moved past that. (Ps: Use Limewire? Look up "Tobias" in the credits. Wink)


And just on a side note, you're three posts behind the conversation.
Bondings
Hogwarts wrote:
xalophus wrote:
Hogwarts wrote:
Bondings wrote:
So no, this isn't really a big problem. And I was already thinking about switching myself to a better hashing sytem.


Howww? That's not possible Sad

You'd need to unhash/hash every single password in the database Neutral

Are you sure it couldn't be done any other way ?
How does the phpBB2->phpBB3 conversion handle this change ?

That wouldn't be a switch to a better hashing system. That would be rehashing; not a switch. In addition, it would be less secure than a well chosen password alongside a decent type of hashing.

By my knowledge, the opposite is true, at least according to Wikipedia and my professor(s). The system I describe would more or less be a H-MAC.

The principle of a H-MAC is in simple terms to encode a message several times iteratively, together with a key.

This method even solves the collision attack for md5 hashes, not that this really is a problem for the storage of passwords (it is for message authentication).

Quote:
No known extensions attacks have been found against the current HMAC specification which is defined as H(key1 || H(key2 || message)) because the outer application of the hash function masks the intermediate result of the internal hash.

The hash I propose would be H(salt || H(password)), with the difference that the salt (key2) wasn't used.
Related topics
Your cpanel is http://www.danhill.frihost.net/cpanel/ .
Bonjour
another THATONETHING.frihost.net
Frihost banner contest
Features of FRIHOST
Traduire Frihost en francais et allemand (La page d´accuei)
phpnuke sur frihost, ça donne quoi?
ERROR: Nameserver ns1.frihost.net is not authoritative
"Movable Type" on Frihost
Frihost nedir ? Size neler sunar ?
Game Server For Frihost?_? Lol..
Bad news about the Server 2
im worried my points getting low. [solved]
Kicked out while I am logged in to Frihost
Reply to topic    Frihost Forum Index -> Support and Web Hosting -> Frihost Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.