Password Encryption ?

[erich37]

I just came around this article about Password-Security and Encryption:

http://www.zerohedge.com/news/2013-07-31/think-your-password-secure-nsa-try


As far as I remeber, XenForo also generates a new Password if you have forgotten your own Password.
What system is XF using for generating Passwords ?


What about if XenForo would automatically generate a Password for a new user during the Sign-up-process, instead of the user choosing his own Password ?

Would this be more secure ?
Hmmm... probably not, since the Password is being sent to the user via Email....

 

[Jake Bunce]

What system is XF using for generating Passwords ?

	/**
	 * Generates a psuedo-random string of the specified length.
	 *
	 * @param integer $length
	 *
	 * @return string
	 */
	public static function generateRandomString($length)
	{
		while (strlen(self::$_randomData) < $length)
		{
			if (function_exists('openssl_random_pseudo_bytes')
				&& (substr(PHP_OS, 0, 3) != 'WIN' || version_compare(phpversion(), '5.3.4', '>='))
			)
			{
				self::$_randomData .= bin2hex(openssl_random_pseudo_bytes(max($length, 1024) / 2));
			}
			else if (function_exists('mcrypt_create_iv') && version_compare(phpversion(), '5.3.0', '>='))
			{
				self::$_randomData .= bin2hex(mcrypt_create_iv(max($length, 1024) / 2, MCRYPT_DEV_URANDOM));
			}
			else
			{
				self::$_randomData .= md5(uniqid(mt_rand(), true));
			}
		}

		$return = substr(self::$_randomData, 0, $length);
		self::$_randomData = substr(self::$_randomData, $length);

		return $return;
	}

 

[erich37]

yeah, but the Password is still being send via Email to the user.
So it is not secure anymore.

But there is probably no other solution to show the user his Password without sending it to him via Email...?



The only idea might be to ask the user for an "Answer" to a question he submitted earlier... and then display his Password via a Key-Generator:

http://xenforo.com/community/threads/random-key-generator-by-waindigo.56174/

Well, I guess that is the next "multi-million dollar idea"..... if you are able to code it

 

[Jake Bunce]

The only idea might be to ask the user for an "Answer" to a question he submitted earlier... and then display his Password via a Key-Generator:

That is basically using a second password to retrieve the first. You must still deal with the case of both passwords being forgotten.

 

[Biker]

http://xenforo.com/community/threads/ability-to-recover-account-password-without-email.48856

 

[OSS 117]

*yawn*

This is nothing new. Federal agencies like the CSS use AES-256 for TS level documents. No form of encryption is reliable if your password is something as stupid as "I<3puppies."

 

[Anthony Parsons]

And if someone already has your email accessed... it all becomes useless as they retrieve a password to your email and in they go. Simple solution is to have a good password.

 

[OSS 117]

Depends on the email provider. I have two factor on anything that supports it.

 

[Anthony Parsons]

Me too... on my gmail. I also have it on my forum admin accounts.

 

[OSS 117]

I use a unique option for lastpass. To login to my account on their site I need a grid number plus a text to my phone. Though it's been a year since I've logged in, as a local copy of the data in unencrypted on the fly in my browser.

 

[Anthony Parsons]

I just use Googles on my iphone... time lapsed 30 second change.