OMG IPB 3 Got Hacked!

[AndyF]

[quote name='tAPir' date='31 August 2009 - 07:22 PM' timestamp='1251742965' post='1850982']
But surely the same criteria applies? You wouldn't give access to your ACP to someone you don't trust. You, therefore, wouldn't make someone a member of staff if you didn't trust them.

I couldn't agree more. :)

[quote name='bfarber' date='31 August 2009 - 10:41 PM' timestamp='1251754869' post='1851068']
If you let your moderators delete topics then no....I mean, they can just click the checkboxes to the right of the topic listing already, so you're not protecting anything. You're just making it take potentially 20 seconds longer.

Not directed at you ;) , but you touched on the general deletion issue. I think some people may have mis-read my original reply though, I was just referring to the Mass Prune options available where it would only be a couple of clicks for someone who gained control of a Global mods account to empty an entire forum, regardless of its size. I know what you are saying though, in that anyone who can delete topics anyway could potentially do the same thing, albeit it would take a lot longer without the Prune tool and they may be stopped before they can finish their "handiwork"

[quote name='Matt' date='01 September 2009 - 07:09 AM' timestamp='1251785354' post='1851206']
Indeed, this reinforces the need to ensure you are only handing out moderation privileges to those who can be fully trusted and who take reasonable measures to secure their own accounts.

Again, could not agree more with that statement. :)


I do think this topic is going off its original tangent though...

[dr. Jekyll]

[quote name='bfarber' date='31 August 2009 - 08:11 PM' timestamp='1251742299' post='1850972']
Please don't jump to conclusions that IPB itself was hacked. There are dozens of possibilities.

Correct!!! Recently in a support forum for a famous CMS and admin has been fired after was discovered that he was using "admin" as password.

[U2 Fan]

[quote name='dr. Jekyll' date='02 September 2009 - 03:00 AM' timestamp='1251813651' post='1851308']Recently in a support forum for a famous CMS and admin has been fired after was discovered that he was using "admin" as password.
Which begs the question... Why can I register a new account on my forums with exactly that password (which is only 5 characters long)? Why can a new member, in fact, register an account with as few as 3 characters as a password?...


I realise that new (or existing) members don't get access to your ACP unless you give it to them... but that's exactly what I'm about to do with two of my existing members (albeit restricted access). How can I be sure that they're using secure passwords without actually having to check up on them first?

Surely the IPB registration form can be changed/enhanced to force all new members to choose much more secure passwords in the first place? I mean, there are countless websites (like banks) that include something like, "Your password must be at least 7 characters long and include at least 3 letters and 3 numbers"... (or whatever it is). Yet Invision considers 3 characters to be a strong password?

You should choose a strong password, between 3 and 32 characters

[.Ian]

Indeed - which is why it would be good to have a script which would test passwords and contact any member who has a weak password.

I think password conditions should be part of it - however there is no way to tell if any member of staff has a weak or strong password - one can only take their word for it.

However with IPB each member has a different (usually) login name - so any hacker would probably not know this. Unless they hacked their email.