1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.3 passwords

Discussion in 'XenForo Questions and Support' started by DRaver, Jul 17, 2014.

  1. DRaver

    DRaver Active Member

    Is it possible to read the user passwords out of the database in xf 1.3 with a tool or a hack?
  2. Brogan

    Brogan XenForo Moderator Staff Member

  3. DRaver

    DRaver Active Member

    Thanks @Brogan
    So if someone had stolen the database, he could find passwords of a user but only the user names?
  4. Mike

    Mike XenForo Developer Staff Member

    Well the passwords are there, but they're one-way hashed. If your DB has been compromised, you need to assume the passwords have too.
  5. DRaver

    DRaver Active Member

    Ups, I always thought the passwords would be encrypted in XF and not only hashed.

    What can the thief do with the hash? Make a brute force to find the real pw or use a tool for that?
  6. duderuud

    duderuud Active Member

    Afaik the method of encrypting hasn't been comprimized yet. So you should be relatively safe. But remember, if they can't be hacked today, maybe they can tomorrow...
  7. Mike

    Mike XenForo Developer Staff Member

    Encryption means it can be reversed (with the correct key). Hashing means it can't. You never want to encrypt a password.

    But yes, they can attempt to brute force a password. Since 1.2 (new users since then or anyone who logged in with a password since them), we use bcrypt which makes this harder/slower, but it's still possible. To be safe, you need to assume that passwords have been compromised.
    DRaver likes this.
  8. DRaver

    DRaver Active Member

    In this case. That is to do in XF?
    I think all passwords need to be reset and all user need a new on. Right?
    Ho can i make that.
  9. Mike

    Mike XenForo Developer Staff Member

    There are no bulk password management tools built in. You would need to ask/tell people to update their passwords.
  10. DRaver

    DRaver Active Member

    If you have thousands of members that's impossible. You can ask the people, but not all will make it.
    Any other solution?
  11. Mike

    Mike XenForo Developer Staff Member

    Any other solution would require some sort of custom development.
  12. DRaver

    DRaver Active Member

    Another question @Mike .

    I add a user in XF and and create a password. In the database I see the pw hash.
    If I copy this hash in the database to another user, then both have the same password.

    Is this a bug? I want to give no instructions for hacking. Is this too critical, then delete the thread simply and reply privately to me.
  13. Mike

    Mike XenForo Developer Staff Member

    What you're suggesting would really provide no benefit.

    If someone (untrusted) has database access, all is lost. If they can write to it, the entire integrity of it is compromised.
  14. Nobita.Kun

    Nobita.Kun Well-Known Member

    DRaver likes this.

Share This Page