password security

[Paul Czege]

Hey Clinton,

The hack could have included a download of user information, right? Are user passwords insecure as a result (i.e. we should change them)?

Paul

[Clinton R. Nixon]

Hey Clinton,

The hack could have included a download of user information, right? Are user passwords insecure as a result (i.e. we should change them)?

Paul

Officially, yes.

The logs, however, do not show any downloading of info. That doesn't mean it didn't happen, and you should change your password if you are security-conscious.

[Marco]

Are passwords stored plain-text by PPBB?

-Marco

[Clinton R. Nixon]

Are passwords stored plain-text by PPBB?

-Marco

Nope - they are hashes, which changes everything. I wasn't even thinking of that. In other words, your passwords are pretty safe, unless they are a dictionary word or small variation thereof (shipmate45, for example).

- Clinton

[Victor Gijsbers]

Clinton, which version of phpBB were you running?

[Clinton R. Nixon]

phpBB 2.0.11. A vital security patch was released on Feb. 28th. I saw someone on RPG.net castigate me for not applying the patch when it was released, and I thought, "What the hell does this kid do with his life? Seven days after release, I haven't upgraded a piece of software - that's not so bad. In fact, I generally have about seven straight days worth of work laid out at any given time."

By the way, it's totally likely that I'll be changing the software from phpBB to something else. If I do, nothing will break - I can rewrite links and whatnot. I've done it before.

[Domhnall]

Just curious-- was there a "disgruntled poster" who you suspect, or did this look just like random malevolence?  Is there a way for you (someone) to trace his IPA?

[Clinton R. Nixon]

Just curious-- was there a "disgruntled poster" who you suspect, or did this look just like random malevolence?  Is there a way for you (someone) to trace his IPA?

It was random malevolence. I have the IP address, but am not going to try and figure out who did it.