TCWT Posted March 23, 2009 Posted March 23, 2009 Webhostingtalk got hacked a couple of days ago. Their database tables were compromised and it's already out there to download. :o How does IPB encrypt the database? Is it as good as VB's method?
Management Matt Posted March 23, 2009 Management Posted March 23, 2009 There is no database encryption. If you mean specifically, passwords: then they are saved as a md5 hash of the plain text password which itself is hashed with a random 5 character salt.
TCWT Posted March 23, 2009 Posted March 23, 2009 Yeah, I meant passwords. "vBulletin uses a sophisticated hashing algorithm, it uses md5 to hash the passwords once, then adds a salt next to it, and hashes again". So, IPB encryption is not as strong?
Mark Posted March 23, 2009 Posted March 23, 2009 It's almost exactly the same: md5( md5( password ) . salt ) There is a very slight difference (they clean the password, then hash, we hash then clean) but like I said, essentially the same.
Mark Posted March 23, 2009 Posted March 23, 2009 Any way to make it even stronger? If there was we would ;)
rct2·com Posted March 23, 2009 Posted March 23, 2009 What's the benefit? If you can read the database, you can read the database. One column in one IPB table that contains encrypted versions of passwords is not going to stop the hackers. Hackers need to find server login details, and/or the database username and password, to dump the database contents. All the encryption of the passwords in the database does is stop the hackers from knowing every member's password AFTER they have hacked into the database. Alternatively, hackers need to find out the root admin's password, login to AdminCP, then use SQL Toolbox to dump the data. If you read that link, the hackers got into the database 'around the back' in the ways I describe, rather than 'from the front' [the vb user interface].
TCWT Posted March 23, 2009 Posted March 23, 2009 I never said this was going to stop hackers from any attempts. I'm aware they hacked their backup servers containing the database. But, there are other ways of obtaining a database besides logging in with the Admin password to dump them or from ssh.
rct2·com Posted March 24, 2009 Posted March 24, 2009 I didn't say it would stop any attempts either. I think what I ws trying to say was that making the IPB passwords even stronger in the database wasn't really going to make it any more difficult to hack in, because the way they are most likely to hack in to the actual database is not through the board/AdminCP by guessing a members' password. Previously I have requested that IPB implement password policies in the code to force regular changes, minimum and maximum lengths, exclude passwords that are in a 'dictionary' that IPB can use, no password equal to user name, no password able to be reused for X amount of changes. My request had the most negative response I think I've seen on these boards. :)
bfarber Posted March 24, 2009 Posted March 24, 2009 The hackers aren't generally "cracking" the passwords. Changing the encryption method is not likely to make your site any more secure.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.