Thread: Username and passwords

This is more of a meta forum question, and why do you care?
I'm sure only asher has access to passwords, and he has no reason to use them.

Again, why do you care? If you're worried about it, change your password to something else.

passwords are hashed using a one way algorithm, and stored in a database

When you enter your password, the password gets hashed and compared to the stored hash
If equal, login accepted
If not, login denied

Passwords are not stored in plain text
To do so would be silly and highly insecure

It depends on the forum structure though.

They're stuffed in an SQL database, no?

Originally Posted by Ynot

passwords are hashed using a one way algorithm, and stored in a database

When you enter your password, the password gets hashed and compared to the stored hash
If equal, login accepted
If not, login denied

Passwords are not stored in plain text
To do so would be silly and highly insecure

Is that hashing on client or server side?
Also, would they use a salt (like website name + date or something)? Otherwise someone could use the hash to login to other sites maybe...

To my knowledge, a unique random salt is assigned to each member.
That means every password hash is unique, even if two passwords are the same.
It also means that malicious administrators (which we don't have at DV) cannot use those password hashes to login to other sites.
The VB login JavaScript code MD5 hashes the password client side, then submits the hash to the server.

Asher is the only one allowed to access the database, and most staff don't have FTP access to DV at all, let alone the database - which is monitored in the unlikely event that anyone who had access would ever try to access it.

Highly unlikely that someone on the net is going to be able to get hold of your unique salt and hash after gaining database access, and then crack that with a custom rainbow table (which requires much space, processing power and/or time, and hope that the password is simple) for a plain text password to then search and login on another website. Even then there's obvious precautions against that, just use different passwords for different sites and keep your password/s strong.

See this
http://www.dreamviews.com/community/...1&postcount=13

Do you think this site warrants spending on SSL encryption?

VB also salts and hashes server side though, no...?

I don't really get in-depth how VB actually manages the typical login.

You don't need to buy a certificate from verisign or others,
you can create your own certificate

http://www.debian-administration.org/articles/284

SSL does two things
- provides an encrypted channel, safe from 3rd party snooping
- (optionally) provides a way for users to verify that the site is legitimate

If you are taking personal information off of people (financial info, etc.)
then, users will feel more secure if you have an SSL cert signed by a trusted 3rd party
You can verify that the website is who they say they are

If all you want is to prevent packet snooping, self-signed SSL is more than adequate

This is Dreamviews, not the CIA's public chat forum.

An MD5/whatever hash (or rather, multiple hash, last time I dug around in how the major forum engines store passwords) is more than enough to make sure no one sees the users' passwords.

The biggest question isn't whether it's possible to hack this forum's database and somehow reveal passwords, but whether there's a reason for anyone to do so.

And the more potential reason there is for that, the more encryption is needed.
In the case of DV, the standard vBulletin method of however it hashes passwords is more than enough.

And aye, as was already said, it's a one way deal.
The admins can't see your password.
They simply have power over your account's permissions on the forum.

Originally Posted by Merlock

This is Dreamviews, not the CIA's public chat forum.

An MD5/whatever hash (or rather, multiple hash, last time I dug around in how the major forum engines store passwords) is more than enough to make sure no one sees the users' passwords.

The biggest question isn't whether it's possible to hack this forum's database and somehow reveal passwords, but whether there's a reason for anyone to do so.

And the more potential reason there is for that, the more encryption is needed.
In the case of DV, the standard vBulletin method of however it hashes passwords is more than enough.

And aye, as was already said, it's a one way deal.
The admins can't see your password.
They simply have power over your account's permissions on the forum.

Oh, agreed

I'm just saying, having security above & beyond the bare minimum can only be a good thing

Link above shows a guy sniffing his own home network traffic and getting login credentials for various things

DV is only one rung above that (client side password encryption)
By capturing their packets, you can still track someone round the site

This sort of conversation tends to bring out the extreme examples
but it boils down to one thing
How much do you value your security & privacy?
Everybody will have a differing answer

Originally Posted by RedfishBluefish

Is that hashing on client or server side?
Also, would they use a salt (like website name + date or something)? Otherwise someone could use the hash to login to other sites maybe...

It's done on the server side, if you use a sniffer you can clearly see your password go through in the header file. That's how almost everything works. Secure sites work differently, but DV is no a secure site since there is no dangerous information being passed around.

Thanks for the info guys. Let me just iterate that I am in no way worried about he admins of dreamviews. I just figured it was a good example since I was posting on here

In either case, if our passwords are stolen, we know who to look at for answers.

The same could go for all forums/websites with passwords. What's new?

Why do you think ID theft is the fastest growing crime?

I doubt it happens a lot like that though.

I use diff users/passes also =P

For DV: I remember being able to see and reset member's passwords, but that field has mysteriously disappeared from the mod panel. I assume it's because it's now encrypted.

Originally Posted by Rakjavik

I'm assuming that whoever runs this site has access to the passwords of all the users. Which made me start thinking.

A lot of people use the same usernames and passwords for multiple sites. So if the admins here or on another site have access to what pass you use, they could go to that site (dont remember the address) that checks about a 100 other popular sites for the same username, and use the pass.

Is this true? Do the admins on here, ebay, youtube, all have access to your password?

This happened to a dude on another forum. Some dude on the forum (forum 1) made another forum (forum 2) and the dude who it happened to signed up on 2. It wasn't as bad but it is technically hacking so amnyway, in the dudes sig (on forum 1), the dude who created 2 put
"I am a stupid noob" or something like that.