How Secure Is Xenforo compared to VB4?

[|Jordan|]

Every few weeks VB4 gets a security fix. How's the security of Xenforo compared to VB4 and other commercial forum scripts?

 

[Disrelation]

Easy solution is to force SSL for your entire site. If you are that serious about security, it's something you should be doing anyway to avoid session cookie theft, etc.

If the password is already being sniffed, a simple client-side MD5 is going to do little to stop anyone (especially since the salt would by definition be exposed to any attacker).

Would be a big pain in the butt for third-party links as it would throwing warnings at users.

Doesn't need to be MD5 on the client-side, there are other solutions, some of them are listed in the thread I linked to that are better than MD5.

 

[Deebs]

It could use better password hashing. However if people get your hashes you would have other more serious problems to deal with. And vb's hashing wouldn't be any better.

Infact I am now testing a new addon which converts from vbulletin, ipb and xenforo hashes to using bcrypt (with a user option for number of rounds). On my kit using 14 rounds takes around 1.2 seconds (thats the delay the user will get when logging in, or changing their password) which is good enough.

 

[erich37]

secure Passwords....

http://news.cnet.com/8301-1009_3-57...k-credentials-apparently-pilfered-from-yahoo/

 

[ManagerJosh]

Any hash is only secure as the password used, it all depends on what area of the keyspace the brute forces target first, ie lowercase, UPPERcase, numerics etc. The point is that SHA-2 is still regarded as a secure hash and safe for use.

You hit it exactly on the nail Deebs. With Rainbow tables, any password can easily be found in seconds.

It is why we need random salts to be included in the hashing process to minimize the effectiveness of rainbow tables.

 

[ManagerJosh]

Easy solution is to force SSL for your entire site. If you are that serious about security, it's something you should be doing anyway to avoid session cookie theft, etc.

If the password is already being sniffed, a simple client-side MD5 is going to do little to stop anyone (especially since the salt would by definition be exposed to any attacker).

SSL can be compromised too if you use a man-in-the-middle attack (ie. DNS Changer Malware) and SSLstrip.

 

[Max Crisp]

The fact is it isn't secure. You can't expect it not to get cracked and any user without a good long password will get cracked fast.

By the time they're reading the hashes from the database then you're already compromised so it's not really the biggest concern for whoever is running the forum. Realistically though, are attackers going to expend serious effort (assuming a not-totally-useless algorithm + salting) cracking every single hash on the off chance that *maybe* a couple of people used a weak password and *maybe* they used that same password for their email which *maybe* will lead to something semi-fruitful like an e-commerce account that *maybe* has saved credit card details? In most cases I don't think so.

People having weak passwords that they re-use everywhere is surely their problem anyway. Someone could very well guess logins manually, I don't think that be damning of anyone but the guy with '1234' as his password either.

I mean I agree that there are problems with some of the hashing algos but when it comes to forum software that's really not as big a deal as, say, being tied to PHP and MySQL if you want to have one that's half-way decent/functional/up to date.

 

[Robbo]

Yes I already said that they would have other issues.

And anyone with a high performance gaming rig can crack millions of hashes every second. That isn't going to just get a "few weak ones". That is going to get a LOT.

 

[Max Crisp]

Well it depends how many of your users have 'weak' (i.e. crackable in a reasonable time-frame) passwords I guess. Their savvy-ness will probably vary depending on the nature of the site in question.

But fair enough, let's just slap people around the head until they adhere to good password choosing practice.

 

[Robbo]

If the password is less than say 10 characters it will in general be cracked by someone using multiple GPUs. Simple as that.

However like we have both said, if people have your hashes you have bigger issues on your hands.

 

[Deebs]

As mentioned earlier my addon is now live on my site, any user with a password stored using a vbulletin, ipb or xenforo hash type will be converted to a bcrypt cipher using 14 rounds. bcrypt is resistant to being run on a GPU in an effective manner as it is a block cipher and not a hash.

 

[Erik]

SSL can be compromised too if you use a man-in-the-middle attack (ie. DNS Changer Malware) and SSLstrip.

Only if the user is stupid/not paying attention. SSLstrip works by proxying the HTTPS connection between the MITM and the server using an HTTP connection between MITM and the user. I'm not going to enter my credit card details or my bank account password if I see that the connection, which should be HTTPS, is not HTTPS.

In any case, this would be the user's fault. From a website owner's perspective, forcing everything over HTTPS and informing users about common-sense security is the best you can do.

 

[Adam Howard]

How secure is XenForo?

Very secure

A few people have been trying endlessly to discover a security vulnerability in XenForo .... To date, none have been discovered except for the 1 third party library (SWFUpload).

 

[DRE]

I wouldn't brag about it tho because it lures some people into being careless... the beginning of user error.

 

[DRE]

secure Passwords....

http://news.cnet.com/8301-1009_3-57...k-credentials-apparently-pilfered-from-yahoo/

Ah hell naw cmon yahoo!

Now i gotta change my passwords just in case.

 

[Robbo]

*facepalm

 

[DRE]

Im jk