| Author |
 Topic  |
|
red1
Junior Member
355 Posts |
 Posted - 06 May 2003 : 18:18:24
|
| Or instead of displaying the login name, you can display the real name |
 |
|
|
sfield
Starting Member
1 Posts |
Posted - 15 January 2004 : 07:42:15
|
Hello all from a newbie owner of a website that uses Snitz. After perusing the forums here on the support site, it seems that there are some admin security holes. A couple of them look similar to this topic’s problem.
I came here specifically because I've had a person try to hack in as an admin and even created a new user called Administrator. I didn't say he was a sophisticated hacker!
Ok, so I have the real problem originally asked about in this topic, and I’m not posing a interesting academic security discussion topic. As mentioned, I'm the owner and not a code tapper of a site that at least one person has tried to use the admin user name to gain access. I've a responsibility to keep my site clean, safe, and un-hacked. What I’d like to request is to take this discussion from interesting debate to solution creation.
I need to be able to create a new admin user name and keep it from being posted publicly. Can you help me find this solution? Looking around this site shows me that it is an issue and boards are being hacked with stolen / hacked / figured out / guessed admin passwords. I’ve also seen the posts many of you have placed and many of you have tremendous skills that I’m sure can fix this.
Thank you for your help
Shadd
|
Regards,
sfield |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 15 January 2004 : 08:06:53
|
| If your not sure what version you have or how to find it, just hover your mouse over the powered by logo/text in the bottom right hand corner of your forum and it should be displayed for you. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
pweighill
Junior Member
United Kingdom
453 Posts |
Posted - 15 January 2004 : 09:11:42
|
quote:
Originally posted by TestMagic
From a theoretical point of view, changing the super admin's login name is simply adding one more hurdle to leap to gain access; i.e., instead of one (the password), there are two. So it would seem logical that if two were better than one, then three would be better than two. And in a sense, the new super admin name would become simply an extension of the password.
Having two passwords is not really much more secure.
Would two passwords of 5 character each be any more secure than one password of 10 characters?
|
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 15 January 2004 : 10:10:42
|
quote:
Originally posted by pweighill
quote:
Originally posted by TestMagic
From a theoretical point of view, changing the super admin's login name is simply adding one more hurdle to leap to gain access; i.e., instead of one (the password), there are two. So it would seem logical that if two were better than one, then three would be better than two. And in a sense, the new super admin name would become simply an extension of the password.
Having two passwords is not really much more secure.
Would two passwords of 5 character each be any more secure than one password of 10 characters?
Nope, on the contrary, two 5 character passwords are very weak compared to one 10 character password.
See my previous posts on this area in this topic: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=50416
Let's say these passwords are only containing lowercase and uppercase and numeric characters.
For the 10 character password this gives us 26+26+10=62 options per position, adding up to
62x62x62x62x62x62x62x62x62x62 = 839.299.365.868.340.224 possible values.
For the 2 five character passwords this gives us :
62x62x62x62x62 = 916.132.832 possible values per password, adding up to 1.832.265.664 total values..
Cracking each seperate 5 character password will take about a second per password without using a dictionairy...(at 1 billion (1.000.000.000) passwords per second)
Cracking the 10 character password at the same rate will take about 839.299.365 seconds to do it...that's 26,6 years for ONE password (with only containing lowercase and uppercase and numeric characters!)
That's a lot more...
Okay...it's true that when you take the _combination_ into account, it will be different...in that case there are 62^5 * 62^5 = 62^10 possible values...and that's _exactly_ the same amount of values as one 10 character password...so it won't improve the security. |
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 15 January 2004 10:13:58 |
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 15 January 2004 : 16:37:11
|
| I find this topic amusing. I've been part of the snitz community for awhile and still have yet to hear anyone that had their forum cracked using the current configuration with SHA256. Doesn't really seem worth discussing, especially since as an admin of your own Open Source forum, you can change the admin name yourself. Lots of software comes with generic admin names and passwords where you are expected to change them, so why not just change it and be done with it. It is surely NOT a security issue for snitz, but rather the admin who elects to use the product. |
 |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 15 January 2004 : 16:46:54
|
dayve  true words indeed!
This is not a security issue, this is not a security threath in any way.
The issue about someone registering with the name Administrator can be prevented by using the 'User Name Filter' (default Snitz if I'm not mistaking). The password can be changed easily, just as the username.
However, it might be an area of improvement where it concerns the password itself as 'default setting'.
It may be wise to make the password policy (how many characters at minimum, all caps/small caps/mixed/numbers etc) a definable option in the admin tools. Just as a build in function, so the wheel won't have to be invented over and over and over....Just a thought. |
portfolio - linkshrinker - oxle - twitter |
|
|
|
taropatch
Average Member
USA
741 Posts |
Posted - 15 January 2004 : 16:54:19
|
quote:
Originally posted by dayve
I find this topic amusing. I've been part of the snitz community for awhile and still have yet to hear anyone that had their forum cracked using the current configuration with SHA256. Doesn't really seem worth discussing, especially since as an admin of your own Open Source forum, you can change the admin name yourself. Lots of software comes with generic admin names and passwords where you are expected to change them, so why not just change it and be done with it. It is surely NOT a security issue for snitz, but rather the admin who elects to use the product.
This seems to sum it up for me. The subject is slightly alarmist.
I see the point, but it does not seem to be an urgent matter as dayve pointed out. You can certainly hide the superadmin from the members.asp. I recall reading a thread on that too. |
|
|
|
neonlys
Starting Member
7 Posts |
Posted - 19 January 2004 : 14:06:31
|
Hi,
I don't see how this could be an security risk in snitz??
Snitz is a messageboard developed to be a MESSAGEBOARD. That means we use the forum to discuss topics, share our interests and have fun meeting new people etc.
This it NOT an FBI, CIA or NSA program written to store topsecret information etc.
Therefore it's no point in trying to hide admin better.
An when it comes to bruteforce hacking of the forum, why not just add 4-digit security images as an extra option then if you're so afraid of someone hacking your forum??
Even though someone was able to get in and delete the whole forum, most HOSTS take daily backup of their servers, which means that it would be fast to restore the forum again (maybe you have lost a couple of posts or so, but so what?)
No hacking program whatsoever can read and know which number there is on a picture (unless you want to create an FBI like program), and therefore they can't crack the password either. You would have to do that manually, and if you do that then you have MAJOR sparetime problems! :-)
You intention was good, trying to prevent people from hacking, but it's not an big issue at all. Let's say chances for this kind of sucessfull attempts is 1-10 000 or so (taking som numbers out of the air.)
Best regards
Kriss |
|
|
|
Topic |
|
Topic Locked
