phpBB Academy at StarTrekGuide

[Highway of Life]

With the recent hacking attack on WebHostingTalk, it brings back to mind how serious such an attack is, and that phpBB.com had one in the not too distant past. -- Although the attack on WHT was far more serious than what we at phpBB.com experienced. We lost several hours worth of posts, but they lost about 6 months worth of posts.

I noticed that they forced everybody to reset their passwords. That was an excellent idea because the way vB works with password hashes is really not complex at all. vB uses a 3 character salted hash, you can easily gain access to ALL passwords less than 8 characters long using a 10-letter rainbow table. Additionally, they store password hash and salt for login cookies, so it would be relitively simple to login as any user if they had access to the DB or a Database Dump.
phpBB3 stores a unique session key in your cookie, and the stores the hashed version in the database, so when you have autologin set, it checks the hashed version of your cookie key with the hashed login keys in the database, making it impossible for a hacker to login as another user using the same method on phpBB3.

So what do you do to protect yourself if someone gains access to your vB Database or a database dump? you require all users to reset their passwords by causing the password to expire.
Did you know that you can do this in phpBB3 as well?
It?s true, and a very simple process. Although phpBB3 uses a much stronger algorithm and hash for storing passwords, it?s still a good idea to have your users reset their passwords if you have experienced an attack or comprimise, you can use the following method.

Run the following two queries in your database using phpMyAdmin or similar tool:

Code: Select all

UPDATE community_config SET config_value = 90 WHERE config_name = 'chg_passforce';
UPDATE community_users SET user_passchg = 1230829560 WHERE user_type <> 2;

This changes ALL users password reset times to a little over 90 days ago, and sets the "force password change" to 90 days, so as soon as a user attempts to login, it will ask them to reset their password.

But you don?t want users resetting their password every 90 days, what should you do to prevent this?
Simple, you set your password to reset in about 85 days using the following query:

Code: Select all

UPDATE community_users SET user_passchg = 1237532400 WHERE user_type = 3;

This will show you the reset password screen again in 85 days, and reminds you to set the "Force password change" back to 0 in the ACP. (ACP -> General (tab) -> Server Configuration :: Security Settings) before it asks anybody else to reset their password 5 days later.

[UnknownTBeast Randall]

This is an epic post, BUT it is 2 1/2 years old! I need to know if it will work on 3.0.9. If not can you please update the queries? Also you say...

Run the following two queries in your database using phpMyAdmin or similar tool

Code: Select all

Select allUPDATE community_config SET config_value = 90 WHERE config_name = 'chg_passforce';
UPDATE community_users SET user_passchg = 1230829560 WHERE user_type <> 2;

Do you mean separately or together? Or does it matter?

[Peetra Petra]

Run them at once if you can, it doesn't matter.

[Erik Frèrejean]

This is an epic post, BUT it is 2 1/2 years old! I need to know if it will work on 3.0.9.

They'll run