• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Password Encryption ?

erich37

Well-known member
#1
I just came around this article about Password-Security and Encryption:

http://www.zerohedge.com/news/2013-07-31/think-your-password-secure-nsa-try


As far as I remeber, XenForo also generates a new Password if you have forgotten your own Password.
What system is XF using for generating Passwords ?


What about if XenForo would automatically generate a Password for a new user during the Sign-up-process, instead of the user choosing his own Password ?

Would this be more secure ?
Hmmm... probably not, since the Password is being sent to the user via Email....


:confused:
 

Jake Bunce

XenForo moderator
Staff member
#2
What system is XF using for generating Passwords ?
Code:
	/**
	 * Generates a psuedo-random string of the specified length.
	 *
	 * @param integer $length
	 *
	 * @return string
	 */
	public static function generateRandomString($length)
	{
		while (strlen(self::$_randomData) < $length)
		{
			if (function_exists('openssl_random_pseudo_bytes')
				&& (substr(PHP_OS, 0, 3) != 'WIN' || version_compare(phpversion(), '5.3.4', '>='))
			)
			{
				self::$_randomData .= bin2hex(openssl_random_pseudo_bytes(max($length, 1024) / 2));
			}
			else if (function_exists('mcrypt_create_iv') && version_compare(phpversion(), '5.3.0', '>='))
			{
				self::$_randomData .= bin2hex(mcrypt_create_iv(max($length, 1024) / 2, MCRYPT_DEV_URANDOM));
			}
			else
			{
				self::$_randomData .= md5(uniqid(mt_rand(), true));
			}
		}

		$return = substr(self::$_randomData, 0, $length);
		self::$_randomData = substr(self::$_randomData, $length);

		return $return;
	}
 

erich37

Well-known member
#3
yeah, but the Password is still being send via Email to the user.
So it is not secure anymore.

But there is probably no other solution to show the user his Password without sending it to him via Email...?



The only idea might be to ask the user for an "Answer" to a question he submitted earlier... and then display his Password via a Key-Generator:

http://xenforo.com/community/threads/random-key-generator-by-waindigo.56174/

Well, I guess that is the next "multi-million dollar idea"..... if you are able to code it :D


:coffee:
 

Jake Bunce

XenForo moderator
Staff member
#4
The only idea might be to ask the user for an "Answer" to a question he submitted earlier... and then display his Password via a Key-Generator:
That is basically using a second password to retrieve the first. You must still deal with the case of both passwords being forgotten.
 

OSS 117

Well-known member
#6
*yawn*

This is nothing new. Federal agencies like the CSS use AES-256 for TS level documents. No form of encryption is reliable if your password is something as stupid as "I<3puppies."
 

Anthony Parsons

Well-known member
#7
And if someone already has your email accessed... it all becomes useless as they retrieve a password to your email and in they go. Simple solution is to have a good password.
 

OSS 117

Well-known member
#10
I use a unique option for lastpass. To login to my account on their site I need a grid number plus a text to my phone. Though it's been a year since I've logged in, as a local copy of the data in unencrypted on the fly in my browser.