Site Security

Discussion in 'Shelter Releases' started by Tuckerfan, Jan 7, 2014.

Thread Status:
Not open for further replies.
  1. Tuckerfan

    Tuckerfan BMF Staff Member Moderator

    Joined:
    Oct 13, 2007
    Messages:
    40,017
    Location:
    Can't tell you, 'cause I'm undercover!
    Ratings:
    +69,575
    One of the message boards I frequent got hacked, and because they're idiots, it sent them into a panic. One of the comments made by a rational poster there, pointed out that the salt used by vB is weak as cricket pee pee. I don't know what Xenforo uses, but I thought, in light of that event, and reading this article, that it might be a good idea to review the security used by WF and give it a tweaking, if it needs it. Now, if you'll excuse me, I have to finish going around and changing all my passwords, just in case mine was one of the ones that got captured. (Not that I use it anywhere else, but better safe than sorry, know what I mean?)
    • Agree Agree x 1
  2. gul

    gul Revolting Beer Drinker Administrator Formerly Important

    Joined:
    Mar 23, 2004
    Messages:
    52,375
    Location:
    Boston
    Ratings:
    +42,287
    That was an interesting article. My own password would have made it through several rounds, but eventually they would have got it toward the end. Of course, the first trick is in obtaining the list from the database. Just some quick googling turned up a fair amount of statements that xenforo security is very strong. I suppose people can claim whatever they want, but what I did not find was much in the way of Statements bashing the security, so it is likely fairly strong. Ultimately, the greatest security lies in not being an obvious target.
  3. Amaris

    Amaris Guest

    Ratings:
    +0
    Xenforo uses a double salted hash based on SHA1. That's a step up from single salted MD5, but not by much.
    MD5 is a 128bit string, while SHA1 is a 160bit string. The double salted hash adds an extra layer of protection.
    According to XF's guide, we can use SHA256, but it has to be added to the PHP configuration. It depends on how tightly secure you want things. So I'd say XF's security is above standard, though it's been said that SHA1 has flaws of its own. To be honest, they all do, somewhere, so YMMV.
    • Agree Agree x 1
  4. shootER

    shootER Insubordinate...and churlish Administrator

    Joined:
    Mar 27, 2004
    Messages:
    43,021
    Location:
    The Steam Pipe Trunk Distribution Venue
    Ratings:
    +27,783
  5. Faceman

    Faceman Negative Creep

    Joined:
    Mar 29, 2004
    Messages:
    38,888
    Ratings:
    +24,146
    Can u imagine the pandemonium that would ensue if my account was hacked on WF?

    I can't.
  6. Tuckerfan

    Tuckerfan BMF Staff Member Moderator

    Joined:
    Oct 13, 2007
    Messages:
    40,017
    Location:
    Can't tell you, 'cause I'm undercover!
    Ratings:
    +69,575
    I can't post a link to the transcript (as it hasn't been posted yet), but the latest episode of Security Now has lots of good information about improving site security. One idea they mention, which seems like it might be easy to do, is to create dummy accounts with easy to crack passwords and have the system set up to alert Admins if anyone attempts to log in using those accounts, since if they're being used, that means there's been a serious breach of board security.
    • Agree Agree x 3
Thread Status:
Not open for further replies.