How Secure Is Xenforo compared to VB4?

|Jordan|

Active member
Every few weeks VB4 gets a security fix. How's the security of Xenforo compared to VB4 and other commercial forum scripts?
 
It could use better password hashing. However if people get your hashes you would have other more serious problems to deal with. And vb's hashing wouldn't be any better.
 
It could use better password hashing. However if people get your hashes you would have other more serious problems to deal with. And vb's hashing wouldn't be any better.
Realistically - does it matter which hashing algorithm is used considering the algorithm is already publicly available? As long as they have your hashed password, salt and algorithm it's still the same waiting game.
 
Realistically - does it matter which hashing algorithm is used considering the algorithm is already publicly available? As long as they have your hashed password, salt and algorithm it's still the same waiting game.
Yes. Some are designed to be hard to crack by GPUs. The old ones like md5, sha etc never anticipated how powerful GPUs would get, only CPUs. GPUs can process millions of hashes per second.
 
SHA-3 is in the works but almost everyone including certain US Government still use the SHA-2 hashes. TLS, SSL, PGP, SSH, IPsec are other applications based on SHA-2. Do you see those guys scrabbling to change the hash function? There is still a lot of life left in SHA-2.
 
I'm not saying they should change it. If people have an issue it is because they let people get the hashes, not the hashes themselves. But they are far from secure if the password used isn't long and cryptic in the first place. And don't make me link you to a heap of US Government failings in security... not the best example.

The fact is it isn't secure. You can't expect it not to get cracked and any user without a good long password will get cracked fast.
 
Any hash is only secure as the password used, it all depends on what area of the keyspace the brute forces target first, ie lowercase, UPPERcase, numerics etc. The point is that SHA-2 is still regarded as a secure hash and safe for use.
 
The biggest risks aren't software related, just user error. Also being on shared hosting sucks because when another site gets hacked or attacked they risk your site going down as well. That happened to my site two weeks ago. They had to change the ip on my site cause some idiot got ddos. I hate being on a shared server.
 
Another risk is installing other people's modifications. I'd say the risk is just as significant on vb4 here cause of the amount of noobs on xenforo releasing stuff in the resource manager, including myself. But then I've seen well-established coders release stuff that will screw your site up. If you want to really be secure and careful, test everything on a xampp installation. Matter-of-fact, you should because unlike vbulletin, your xenforo installation will go blank everytime you install or uninstall a skin, language or modification. Your users will think something is wrong with your site and get angry. That's why you need a local installation the most.
 
Currently testing a new addon on my site, it basically converts users imported from vb or ibp to use the stock XF authentication/password mechanism on their login instead of waiting for them to change their password (which would convert them).
 
Since launch XF has only had to release a single security fix, and it was for a third party library.
This isn't really a good comparison.
Since launch of a brand new script it's had X updates

Script Y which has been around for years and years will obviously attack more attention.

With that said, any script is as secure as you make it.
If you add 20 poorly coded mods, you'll likely be exploited.
 
The only major problem I can think of at the moment with XenForo is this; http://xenforo.com/community/threads/suggestion-regarding-login-security.22070/

I'm not too sure if it was ever fixed as no one on the XenForo team replied to the thread but other than that, it's great software and secure.
Easy solution is to force SSL for your entire site. If you are that serious about security, it's something you should be doing anyway to avoid session cookie theft, etc.

If the password is already being sniffed, a simple client-side MD5 is going to do little to stop anyone (especially since the salt would by definition be exposed to any attacker).
 
Top Bottom