Thread: Username and passwords

To my knowledge, a unique random salt is assigned to each member.
That means every password hash is unique, even if two passwords are the same.
It also means that malicious administrators (which we don't have at DV) cannot use those password hashes to login to other sites.
The VB login JavaScript code MD5 hashes the password client side, then submits the hash to the server.

Asher is the only one allowed to access the database, and most staff don't have FTP access to DV at all, let alone the database - which is monitored in the unlikely event that anyone who had access would ever try to access it.

Highly unlikely that someone on the net is going to be able to get hold of your unique salt and hash after gaining database access, and then crack that with a custom rainbow table (which requires much space, processing power and/or time, and hope that the password is simple) for a plain text password to then search and login on another website. Even then there's obvious precautions against that, just use different passwords for different sites and keep your password/s strong.

See this
http://www.dreamviews.com/community/...1&postcount=13

Do you think this site warrants spending on SSL encryption?

VB also salts and hashes server side though, no...?

I don't really get in-depth how VB actually manages the typical login.

You don't need to buy a certificate from verisign or others,
you can create your own certificate

http://www.debian-administration.org/articles/284

SSL does two things
- provides an encrypted channel, safe from 3rd party snooping
- (optionally) provides a way for users to verify that the site is legitimate

If you are taking personal information off of people (financial info, etc.)
then, users will feel more secure if you have an SSL cert signed by a trusted 3rd party
You can verify that the website is who they say they are

If all you want is to prevent packet snooping, self-signed SSL is more than adequate

This is Dreamviews, not the CIA's public chat forum.

An MD5/whatever hash (or rather, multiple hash, last time I dug around in how the major forum engines store passwords) is more than enough to make sure no one sees the users' passwords.

The biggest question isn't whether it's possible to hack this forum's database and somehow reveal passwords, but whether there's a reason for anyone to do so.

And the more potential reason there is for that, the more encryption is needed.
In the case of DV, the standard vBulletin method of however it hashes passwords is more than enough.

And aye, as was already said, it's a one way deal.
The admins can't see your password.
They simply have power over your account's permissions on the forum.

Originally Posted by Merlock

This is Dreamviews, not the CIA's public chat forum.

An MD5/whatever hash (or rather, multiple hash, last time I dug around in how the major forum engines store passwords) is more than enough to make sure no one sees the users' passwords.

The biggest question isn't whether it's possible to hack this forum's database and somehow reveal passwords, but whether there's a reason for anyone to do so.

And the more potential reason there is for that, the more encryption is needed.
In the case of DV, the standard vBulletin method of however it hashes passwords is more than enough.

And aye, as was already said, it's a one way deal.
The admins can't see your password.
They simply have power over your account's permissions on the forum.

Oh, agreed

I'm just saying, having security above & beyond the bare minimum can only be a good thing

Link above shows a guy sniffing his own home network traffic and getting login credentials for various things

DV is only one rung above that (client side password encryption)
By capturing their packets, you can still track someone round the site

This sort of conversation tends to bring out the extreme examples
but it boils down to one thing
How much do you value your security & privacy?
Everybody will have a differing answer