Guest Posted March 30, 2012 Share Posted March 30, 2012 The other more practical change is to add something so that the password isn't the only piece needed to get into the account. That's where 2-step verification comes into play. It doesn't matter how strong or unique your password is in that case. The only really useful 2-factor system would be using the token generators like Banks/PayPal use. The ones where the device has a unique id number and generates a 6 digit pin on every press. Now if Invision (sorry Matt) came up with one of them that might work but is everyone going to buy one even if they are only $5? Link to comment Share on other sites More sharing options...
Ryan H. Posted March 30, 2012 Author Share Posted March 30, 2012 The only really useful 2-factor system would be using the token generators like Banks/PayPal use. The ones where the device has a unique id number and generates a 6 digit pin on every press. Now if Invision (sorry Matt) came up with one of them that might work but is everyone going to buy one even if they are only $5? Such a system can be roughly approximated [much more cheaply and accessibly] by sending user-specific keys via text message or with a smartphone app. It can be equally effective, and avoids the need for special-purpose hardware. Link to comment Share on other sites More sharing options...
Guest Posted March 30, 2012 Share Posted March 30, 2012 Such a system can be roughly approximated [much more cheaply and accessibly] by sending user-specific keys via text message or with a smartphone app. It can be equally effective, and avoids the need for special-purpose hardware. That's just not on .. I am not the only person who lives outside the coverage of mobile towers. To work it has to be one in all in. Link to comment Share on other sites More sharing options...
Enkidu Posted March 30, 2012 Share Posted March 30, 2012 I agree with everything except for minimum password length. I like to keep my password 1 character long (no hacker would EVER think a site's admin has a 1 character password!) Jk... :wink: Good suggestions! this post should be nominated for the worst idea of the century. The first thing a hacker would do is assume that your password is something easy to remember such as a word from the dictionary (hence dictionary attack) and in case of a brute-force attack, your password will be cracked in a fraction of a second. Link to comment Share on other sites More sharing options...
PeterUK Posted March 30, 2012 Share Posted March 30, 2012 One thing that could be done... We currently do md5( md5(salt) . md5(password) ). This is stored as the hash (along with the salt) for later comparison. We could take this and then run it through another hashing algorithm (bcrypt, etc.) and then store that. If we did that, we can update existing passwords in the database (just take the value from members_pass_hash and run through bcrypt or whatever is used). That certainly couldn't hurt to do and should be fairly easy to implement. With a high enough work factor that should pretty much eliminate the problem for 99% of the crackers out there, and it certainly discounts rainbow tables completely. Look at phpBB3's algorithm (which as has been said, is using blowfish), it's a nightmare for password crackers for two reasons: a) Because it's slow to generate for; and b) Because there's very few tools to crack it anyway, certainly not the CUDA/Brook tools which are so widely available for MD5. That's just not on .. I am not the only person who lives outside the coverage of mobile towers. To work it has to be one in all in. You're saying you have a phone but live outside of mobile coverage? For most of the above mentioned systems that's irrelevant. A proper token generates a key without any Internet or mobile network access. Google Authenticator for Android/iOS/Blackberry is completely time based and once you've scanned in the barcode for your generator it can run entirely independently, even if you take the SIM card out of your phone and turn WiFi off. this post should be nominated for the worst idea of the century. The first thing a hacker would do is assume that your password is something easy to remember such as a word from the dictionary (hence dictionary attack) and in case of a brute-force attack, your password will be cracked in a fraction of a second. He said he was joking. ^ Link to comment Share on other sites More sharing options...
raindog308 Posted March 30, 2012 Share Posted March 30, 2012 2-step authentication via sms? It's just a board. I would never register. If you want security, require each user to buy a SecureID token :-( Link to comment Share on other sites More sharing options...
Mat Barrie Posted April 1, 2012 Share Posted April 1, 2012 Just take the phpBB approach - build in optional support for Yubikeys, and users can choose to buy a token ($25) if they want. If they don't, well, whatever. Link to comment Share on other sites More sharing options...
PeterUK Posted April 1, 2012 Share Posted April 1, 2012 Just take the phpBB approach - build in optional support for Yubikeys, and users can choose to buy a token ($25) if they want. If they don't, well, whatever. Or build in optional support for Google Authenticator. People only need a smartphone (and to me it seems likely that if they were willing to pay $25 for a key, they'd have a smartphone), and it's free. Link to comment Share on other sites More sharing options...
Andy Millne Posted June 24, 2012 Share Posted June 24, 2012 Just take the phpBB approach - build in optional support for Yubikeys, and users can choose to buy a token ($25) if they want. If they don't, well, whatever. Or build in optional support for Google Authenticator. People only need a smartphone (and to me it seems likely that if they were willing to pay $25 for a key, they'd have a smartphone), and it's free. Take your pick. YubiKey - Google Authenticator - Link to comment Share on other sites More sharing options...
XTF Posted June 26, 2012 Share Posted June 26, 2012 it is worse it is hair pulling difficult to get people to realise that reuse of password on multiple systems is a bad idea. How about emailing a generated password on registration (in the activation email)? Don't expect users to come up with good (new) passwords themselves, they won't. Link to comment Share on other sites More sharing options...
Rimi Posted June 26, 2012 Share Posted June 26, 2012 How about emailing a generated password on registration (in the activation email)? Don't expect users to come up with good (new) passwords themselves, they won't.I always change the password to something easier for sites that do that. Link to comment Share on other sites More sharing options...
XTF Posted June 26, 2012 Share Posted June 26, 2012 To one used on multiple sites I guess? Link to comment Share on other sites More sharing options...
Rimi Posted June 26, 2012 Share Posted June 26, 2012 To one used on multiple sites I guess?Yeah. The usual 123456. Link to comment Share on other sites More sharing options...
Axel Wers Posted June 27, 2012 Share Posted June 27, 2012 SMS: It's just too costly and too involved to be a standard feature. It may make a nice mod but generally we're looking to lower the bar for registration and I think requiring a mobile phone number will put people off. For specialised more tolerant communities I'm sure it'd be fine. This can be optional for new members. Who wants can use SMS notification during login process. Link to comment Share on other sites More sharing options...
The Guy Posted June 27, 2012 Share Posted June 27, 2012 Nice try with your reverse psychology, but I am still going to get into your site's ACP. Yes but with 24 letters in the alphabet and 10 numbers in the numpad (0-9), that leaves the hacker 34 guesses. Oh and of course there is the ALT= Symbolism which lead up to 400+ guesses. For example: ALT+11=♂ The keyboard is larger then you think :P Link to comment Share on other sites More sharing options...
eGullet Posted June 27, 2012 Share Posted June 27, 2012 This can be optional for new members. Who wants can use SMS notification during login process. I don't think anyone has ever suggested that this should be implemented for all members (though I suppose if Lockheed or somebody wanted to run an internal discussion board maybe they would... we should remember that not all boards are the same, it turns out some people like to discuss things more important than food or cars or whatever). I'd love 2-factor authentication for ACP access, and I could imagine requiring all mods, or maybe just all managers to use it. Link to comment Share on other sites More sharing options...
TigerWolf Posted October 22, 2012 Share Posted October 22, 2012 I am really interested in having higher security in IPBoard as I am interested in purchasing it but would want to assure my members that their passwords where safer than a lot of the forums out there that are being hacked recently. There is a way to have "password strategies" which I have used when developing application using another php framework: https://github.com/phpnode/YiiPassword Is the plugin API for IP good enough that this could be implemented as a plugin? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.