Migration of forum accounts.

Hi all, shiney new layout here...

I am curious though... How did you move all the user accounts with passwords, shouldn't all that be encrypted and super secreted.. I know it is only a forum and I'm not sure how the encryption on the passwords works, but I didn't think things like this were possible as a result

Hardly matters much, still puts a question Mark above my head though.

/me

Pre-movement I wondered if passwords would survive. Personally, I think this suggests that passwords are stored in plain text. At the very least, it suggests someone working with the forums can determine any one person's password.

This would be troublesome to me personally, however. After a bunch of "your account has been comprised" emails associated with the Gawker incident, I sleep just fine at night. Thanks to LastPass, every single website I visit has a unique (hard to guess) password.

Should someone login here and start posting on my Arduino Forum account I hope they can answer questions better than me. :wink:

It is unlikely that the passwords are plaintext, and I don't know why moving the forum implies they are. The super secret password list is just applied to the new site, no?

It was never addressed, so I am just speculating.

It just seems strange that moving to a new platform that the same private key (or SALT) is being used here. Maybe it is. If I copy the /etc/passwd file from one computer, I wouldn't expect it to work on another.

In other words, you would say that it makes sense that I have a password hashed with 'x'? "They" move to a new "system" and the passwords in their database are still hashed with 'x'. It doesn't take much math to connect the dots?

I'm not bothered about my arduino forum account being hacked too much (I bet nkcelectronics is slightly concerned though)

It does seem odd that passwords can be move from one database to another, perhaps an admin could verify what happened? Best practices are possibly not "oh, we just store passwords as plain text in a myPHP server"

Well according to this link on the old forum maker's website passwords are stored hashed.

What is a hash?

A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value.

Ref.

Here are 2 similar passwords and their hashes. Notice how different they are just by changing 1 character. (Capital P)

password1 - 7c6a180b36896a0a8c02787eeafb0e4c
Password1 - 2ac9cb7dc02b3c0083eb70898e549b63

This makes guessing a hashed password almost impossible.

But I did a little research and found that the password is sent to the server before it is hashed rather than being hashed at the browser.

What does this mean? It goes as follows...

You register and when you sign up your password is hashed and stored in a database.
Wen you sign in your browser sends your user name 'user1' and password 'password1' to the server.
The server hashes your password into a hash that looks like this: 7c6a180b36896a0a8c02787eeafb0e4c
It looks you up in the database by user name and compares the hash to what is stored from when you registered
If those 2 hashes match then it knows you typed your password right. If not it kicks you out.

So essentially they could be saving your password both hashed or in plain text. You really don't know.

Also the web site is not a secured site. (https) Therefore your user name and password are sent across the internet in plain text. This means any computer or router that it goes through can easily read it. This includes your ISP, the ISP hosting the web site, all the servers the traffic passes through in between and if you are at work your IT department.

The bottom line is you have to trust a lot of people so when you use ANY web site you should never use the same user name / password / email address combination.

I have 3 different user names, 4 different emails and about 8 different passwords I use depending on what I'm logging in to just for these reasons.

Think about this... what email address did you use when you signed up here? If you said Yahoo, Gmail or Hotmail think about this next question carefully. What password did you use? Is it the same one you use to get your email? If so the site admins might be able to get into your email. (I stress MIGHT. I am not accusing anyone of anything, just asking people to think about it for a second.)

I've worked with SMF forums before and I know they encrypt passwords to a hash before storing so I feel safe here but you can never be 100%.

The think I'd be more worried about is this: Have you ever filled out one of those "What Simpsons character are you?" things and had to give an email and password? Is the password you gave the same you use for that email? Do you know who runs that site? Do you trust them? I sure as hell wouldn't.

For the tl;dr crowd... I'm sure the Arduino staff did/does everything right, but just please be careful out there.