1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password Encryption ?

Discussion in 'Off Topic' started by erich37, Jul 31, 2013.

  1. erich37

    erich37 Well-Known Member

    I just came around this article about Password-Security and Encryption:


    As far as I remeber, XenForo also generates a new Password if you have forgotten your own Password.
    What system is XF using for generating Passwords ?

    What about if XenForo would automatically generate a Password for a new user during the Sign-up-process, instead of the user choosing his own Password ?

    Would this be more secure ?
    Hmmm... probably not, since the Password is being sent to the user via Email....

  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    	 * Generates a psuedo-random string of the specified length.
    	 * @param integer $length
    	 * @return string
    	public static function generateRandomString($length)
    		while (strlen(self::$_randomData) < $length)
    			if (function_exists('openssl_random_pseudo_bytes')
    				&& (substr(PHP_OS, 0, 3) != 'WIN' || version_compare(phpversion(), '5.3.4', '>='))
    				self::$_randomData .= bin2hex(openssl_random_pseudo_bytes(max($length, 1024) / 2));
    			else if (function_exists('mcrypt_create_iv') && version_compare(phpversion(), '5.3.0', '>='))
    				self::$_randomData .= bin2hex(mcrypt_create_iv(max($length, 1024) / 2, MCRYPT_DEV_URANDOM));
    				self::$_randomData .= md5(uniqid(mt_rand(), true));
    		$return = substr(self::$_randomData, 0, $length);
    		self::$_randomData = substr(self::$_randomData, $length);
    		return $return;
  3. erich37

    erich37 Well-Known Member

    yeah, but the Password is still being send via Email to the user.
    So it is not secure anymore.

    But there is probably no other solution to show the user his Password without sending it to him via Email...?

    The only idea might be to ask the user for an "Answer" to a question he submitted earlier... and then display his Password via a Key-Generator:


    Well, I guess that is the next "multi-million dollar idea"..... if you are able to code it :D

  4. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    That is basically using a second password to retrieve the first. You must still deal with the case of both passwords being forgotten.
  5. Biker

    Biker Well-Known Member

  6. OSS 117

    OSS 117 Well-Known Member


    This is nothing new. Federal agencies like the CSS use AES-256 for TS level documents. No form of encryption is reliable if your password is something as stupid as "I<3puppies."
  7. Anthony Parsons

    Anthony Parsons Well-Known Member

    And if someone already has your email accessed... it all becomes useless as they retrieve a password to your email and in they go. Simple solution is to have a good password.
  8. OSS 117

    OSS 117 Well-Known Member

    Depends on the email provider. I have two factor on anything that supports it.
    Anthony Parsons likes this.
  9. Anthony Parsons

    Anthony Parsons Well-Known Member

    Me too... on my gmail. I also have it on my forum admin accounts.
  10. OSS 117

    OSS 117 Well-Known Member

    I use a unique option for lastpass. To login to my account on their site I need a grid number plus a text to my phone. Though it's been a year since I've logged in, as a local copy of the data in unencrypted on the fly in my browser.
    Anthony Parsons likes this.
  11. Anthony Parsons

    Anthony Parsons Well-Known Member

    I just use Googles on my iphone... time lapsed 30 second change.

Share This Page