Discussion in 'XenForo Questions and Support' started by DRaver, Jul 17, 2014.
Is it possible to read the user passwords out of the database in xf 1.3 with a tool or a hack?
So if someone had stolen the database, he could find passwords of a user but only the user names?
Well the passwords are there, but they're one-way hashed. If your DB has been compromised, you need to assume the passwords have too.
Ups, I always thought the passwords would be encrypted in XF and not only hashed.
What can the thief do with the hash? Make a brute force to find the real pw or use a tool for that?
Afaik the method of encrypting hasn't been comprimized yet. So you should be relatively safe. But remember, if they can't be hacked today, maybe they can tomorrow...
Encryption means it can be reversed (with the correct key). Hashing means it can't. You never want to encrypt a password.
But yes, they can attempt to brute force a password. Since 1.2 (new users since then or anyone who logged in with a password since them), we use bcrypt which makes this harder/slower, but it's still possible. To be safe, you need to assume that passwords have been compromised.
In this case. That is to do in XF?
I think all passwords need to be reset and all user need a new on. Right?
Ho can i make that.
There are no bulk password management tools built in. You would need to ask/tell people to update their passwords.
If you have thousands of members that's impossible. You can ask the people, but not all will make it.
Any other solution?
Any other solution would require some sort of custom development.
Another question @Mike .
I add a user in XF and and create a password. In the database I see the pw hash.
If I copy this hash in the database to another user, then both have the same password.
Is this a bug? I want to give no instructions for hacking. Is this too critical, then delete the thread simply and reply privately to me.
What you're suggesting would really provide no benefit.
If someone (untrusted) has database access, all is lost. If they can write to it, the entire integrity of it is compromised.
Hi! I think its helpful to you if you want to force user update their passwords B-)
Separate names with a comma.