XF 1.3 passwords

[DRaver]

Is it possible to read the user passwords out of the database in xf 1.3 with a tool or a hack?

 

[Paul B]

No.

 

[DRaver]

Thanks @Brogan
So if someone had stolen the database, he could find passwords of a user but only the user names?

 

[Mike]

Well the passwords are there, but they're one-way hashed. If your DB has been compromised, you need to assume the passwords have too.

 

[DRaver]

Ups, I always thought the passwords would be encrypted in XF and not only hashed.

What can the thief do with the hash? Make a brute force to find the real pw or use a tool for that?

 

[duderuud]

Afaik the method of encrypting hasn't been comprimized yet. So you should be relatively safe. But remember, if they can't be hacked today, maybe they can tomorrow...

 

[Mike]

Encryption means it can be reversed (with the correct key). Hashing means it can't. You never want to encrypt a password.

But yes, they can attempt to brute force a password. Since 1.2 (new users since then or anyone who logged in with a password since them), we use bcrypt which makes this harder/slower, but it's still possible. To be safe, you need to assume that passwords have been compromised.

 

[DRaver]

To be safe, you need to assume that passwords have been compromised.

In this case. That is to do in XF?
I think all passwords need to be reset and all user need a new on. Right?
Ho can i make that.

 

[Mike]

There are no bulk password management tools built in. You would need to ask/tell people to update their passwords.

 

[DRaver]

If you have thousands of members that's impossible. You can ask the people, but not all will make it.
Any other solution?

 

[Mike]

Any other solution would require some sort of custom development.

 

[DRaver]

Another question @Mike .

I add a user in XF and and create a password. In the database I see the pw hash.
If I copy this hash in the database to another user, then both have the same password.

Is this a bug? I want to give no instructions for hacking. Is this too critical, then delete the thread simply and reply privately to me.

 

[Mike]

What you're suggesting would really provide no benefit.

If someone (untrusted) has database access, all is lost. If they can write to it, the entire integrity of it is compromised.

 

[truonglv]

Ups, I always thought the passwords would be encrypted in XF and not only hashed.

What can the thief do with the hash? Make a brute force to find the real pw or use a tool for that?

Hi! I think its helpful to you if you want to force user update their passwords B-)
http://xenforo.com/community/resources/password-rules.3259/update?update=10212