I noticed that they forced everybody to reset their passwords. That was an excellent idea because the way vB works with password hashes is really not complex at all. vB uses a 3 character salted hash, you can easily gain access to ALL passwords less than 8 characters long using a 10-letter rainbow table. Additionally, they store password hash and salt for login cookies, so it would be relitively simple to login as any user if they had access to the DB or a Database Dump.
phpBB3 stores a unique session key in your cookie, and the stores the hashed version in the database, so when you have autologin set, it checks the hashed version of your cookie key with the hashed login keys in the database, making it impossible for a hacker to login as another user using the same method on phpBB3.
So what do you do to protect yourself if someone gains access to your vB Database or a database dump? you require all users to reset their passwords by causing the password to expire.
Did you know that you can do this in phpBB3 as well?
It?s true, and a very simple process. Although phpBB3 uses a much stronger algorithm and hash for storing passwords, it?s still a good idea to have your users reset their passwords if you have experienced an attack or comprimise, you can use the following method.
Run the following two queries in your database using phpMyAdmin or similar tool:
- Code: Select all
UPDATE community_config SET config_value = 90 WHERE config_name = 'chg_passforce';
UPDATE community_users SET user_passchg = 1230829560 WHERE user_type <> 2;
But you don?t want users resetting their password every 90 days, what should you do to prevent this?
Simple, you set your password to reset in about 85 days using the following query:
- Code: Select all
UPDATE community_users SET user_passchg = 1237532400 WHERE user_type = 3;
This will show you the reset password screen again in 85 days, and reminds you to set the "Force password change" back to 0 in the ACP. (ACP -> General (tab) -> Server Configuration :: Security Settings) before it asks anybody else to reset their password 5 days later.