A proposal toward improving IP.Board security

[Guest]

The other more practical change is to add something so that the password isn't the only piece needed to get into the account. That's where 2-step verification comes into play. It doesn't matter how strong or unique your password is in that case.

The only really useful 2-factor system would be using the token generators like Banks/PayPal use. The ones where the device has a unique id number and generates a 6 digit pin on every press. Now if Invision (sorry Matt) came up with one of them that might work but is everyone going to buy one even if they are only $5?

[Ryan H.]

The only really useful 2-factor system would be using the token generators like Banks/PayPal use. The ones where the device has a unique id number and generates a 6 digit pin on every press. Now if Invision (sorry Matt) came up with one of them that might work but is everyone going to buy one even if they are only $5?

Such a system can be roughly approximated [much more cheaply and accessibly] by sending user-specific keys via text message or with a smartphone app. It can be equally effective, and avoids the need for special-purpose hardware.

[Guest]

Such a system can be roughly approximated [much more cheaply and accessibly] by sending user-specific keys via text message or with a smartphone app. It can be equally effective, and avoids the need for special-purpose hardware.

That's just not on .. I am not the only person who lives outside the coverage of mobile towers. To work it has to be one in all in.

[Enkidu]

I agree with everything except for minimum password length. I like to keep my password 1 character long (no hacker would EVER think a site's admin has a 1 character password!) Jk... :wink:

Good suggestions!

this post should be nominated for the worst idea of the century. The first thing a hacker would do is assume that your password is something easy to remember such as a word from the dictionary (hence dictionary attack) and in case of a brute-force attack, your password will be cracked in a fraction of a second.

[PeterUK]

One thing that could be done...

We currently do md5( md5(salt) . md5(password) ). This is stored as the hash (along with the salt) for later comparison. We could take this and then run it through another hashing algorithm (bcrypt, etc.) and then store that. If we did that, we can update existing passwords in the database (just take the value from members_pass_hash and run through bcrypt or whatever is used).

That certainly couldn't hurt to do and should be fairly easy to implement. With a high enough work factor that should pretty much eliminate the problem for 99% of the crackers out there, and it certainly discounts rainbow tables completely. Look at phpBB3's algorithm (which as has been said, is using blowfish), it's a nightmare for password crackers for two reasons:
a) Because it's slow to generate for; and
b) Because there's very few tools to crack it anyway, certainly not the CUDA/Brook tools which are so widely available for MD5.

That's just not on .. I am not the only person who lives outside the coverage of mobile towers. To work it has to be one in all in.

You're saying you have a phone but live outside of mobile coverage? For most of the above mentioned systems that's irrelevant. A proper token generates a key without any Internet or mobile network access. Google Authenticator for Android/iOS/Blackberry is completely time based and once you've scanned in the barcode for your generator it can run entirely independently, even if you take the SIM card out of your phone and turn WiFi off.

this post should be nominated for the worst idea of the century. The first thing a hacker would do is assume that your password is something easy to remember such as a word from the dictionary (hence dictionary attack) and in case of a brute-force attack, your password will be cracked in a fraction of a second.

He said he was joking. ^

[raindog308]

2-step authentication via sms? It's just a board. I would never register.

If you want security, require each user to buy a SecureID token :-(

[Mat Barrie]

Just take the phpBB approach - build in optional support for Yubikeys, and users can choose to buy a token ($25) if they want. If they don't, well, whatever.

[PeterUK]

Just take the phpBB approach - build in optional support for Yubikeys, and users can choose to buy a token ($25) if they want. If they don't, well, whatever.

Or build in optional support for Google Authenticator. People only need a smartphone (and to me it seems likely that if they were willing to pay $25 for a key, they'd have a smartphone), and it's free.

[Andy Millne]

Just take the phpBB approach - build in optional support for Yubikeys, and users can choose to buy a token ($25) if they want. If they don't, well, whatever.

Or build in optional support for Google Authenticator. People only need a smartphone (and to me it seems likely that if they were willing to pay $25 for a key, they'd have a smartphone), and it's free.

Take your pick.

YubiKey -
Google Authenticator -

[XTF]

it is worse it is hair pulling difficult to get people to realise that reuse of password on multiple systems is a bad idea.

How about emailing a generated password on registration (in the activation email)?
Don't expect users to come up with good (new) passwords themselves, they won't.

[Rimi]

How about emailing a generated password on registration (in the activation email)?

Don't expect users to come up with good (new) passwords themselves, they won't.

I always change the password to something easier for sites that do that.

[XTF]

To one used on multiple sites I guess?

[Rimi]

To one used on multiple sites I guess?

Yeah. The usual 123456.

[Axel Wers]

SMS: It's just too costly and too involved to be a standard feature. It may make a nice mod but generally we're looking to lower the bar for registration and I think requiring a mobile phone number will put people off. For specialised more tolerant communities I'm sure it'd be fine.

This can be optional for new members. Who wants can use SMS notification during login process.

[The Guy]

Nice try with your reverse psychology, but I am still going to get into your site's ACP.

Yes but with 24 letters in the alphabet and 10 numbers in the numpad (0-9), that leaves the hacker 34 guesses. Oh and of course there is the ALT= Symbolism which lead up to 400+ guesses.

For example:
ALT+11=♂

The keyboard is larger then you think :P

[eGullet]

This can be optional for new members. Who wants can use SMS notification during login process.

I don't think anyone has ever suggested that this should be implemented for all members (though I suppose if Lockheed or somebody wanted to run an internal discussion board maybe they would... we should remember that not all boards are the same, it turns out some people like to discuss things more important than food or cars or whatever). I'd love 2-factor authentication for ACP access, and I could imagine requiring all mods, or maybe just all managers to use it.

[TigerWolf]

I am really interested in having higher security in IPBoard as I am interested in purchasing it but would want to assure my members that their passwords where safer than a lot of the forums out there that are being hacked recently.

There is a way to have "password strategies" which I have used when developing application using another php framework:

https://github.com/phpnode/YiiPassword

Is the plugin API for IP good enough that this could be implemented as a plugin?