I know at one time (on most boards not just this one) mods would routinely see your password. Thus you were warned not to use the same one on a baord as you did for other things, such as your PayPal account.
But now many boards say their passwords are secure, that they are scrambled at the user’s computer and never appear as plain-text on the board’s server.
Does the current vB code do that?
In the more recent versions of vBulletin, the passwords are stored as encrypted strings and not viewableby the administrators. Moderators were never able to view passwords, AFAIK. The administrators can change your password if you forget it, but once you change it from your user CP, they can’t know what it is. Earlier versions of vB did store your password as plaintext.
Of course, if you choose an easily-guessed password, a clever person could figure it out and gain access to your account. Brute-force crackers might be able to get past it, but the current version makes that difficult by locking out further attempts after 5 failed entries until a specified time period has elapsed.
slight hijack: QED - why are you not a moderator yet? Oh and Happy Anniversary:)
That’s up to the administration team at this point. I did email an application to TubaDiva some time ago, but haven’t heard anything further. I suppose they’re full up at the moment, and don’t need any more mods. I’m here if they want me.
And thanks for the anniversary congrats. 
A long time ago, this board was hacked. They asked us to change our passwords for this board, as well as any others that we used the same password for. I don’t know if:[ol][]There actually was any danger that the hacker could have gotten our passwords, or they were just being overly cautious. If what Q.E.D. says is true, I imagine it’s the latter.[]Anything has changed since then.[/ol]
Note that if a cracker has the set of encryped passwords and the password encrypting code, they can run an attack (on their own computer) thru the list and likely skim off many passwords from that.
One of the classic tools on Unix systems for doing this was “Crack”. It really is a legitimate sysadmin tool. I ran it on a system I was doing “root” work on and found 1/3 of the passwords that way. (Too short, words in the dictionary etc.)
(Because of this, most Unix systems switched to “shadow password files” that aren’t supposed to be world readable. Unfortunately, pretty much any file on a shared system can be read by a determined user anyway, so it really doesn’t help.)
Given the propensity of users to choose really lousy passwords despite gajillions of warnings against that, if someone obtained the SDMB encrypted password file, they could probably find a decent number of member passwords.
So, as to the OP, if you have picked a really good password, you are safe. If you haven’t well…
(Note to mods: I strongly believe that you need to explain to ordinary users exactly why choosing simple passwords is a bad idea.)
Personally, I gave up a long time ago on trying to actually modify people’s security awareness by “convincing” them. I once had an assistant manager, with various management-level priveleges in our store computer system, who I actually had to demote because he absolutely would not choose a useful password, leading to repeated security breaches.
I’m a big advocate of programs that are configured to automatically reject stupid passwords. Nothing else will stop people from using their birthdate or something, or even their initials.
Passwords that you should not use include your name, your name spelled backwards (this is NOT clever), your login name/userID, the word “password”, the name of your pet/spouse/child/parent, your address or phone number. Ideally, you should not use ANY word that is found in the dictionary.
A password should be at least 8 characters long, it should include numbers, letters, and if allowed, symbols ($*@#, for instance). Some of the letters should be randomly capitalized, and the numbers, letters, and symbols should be randomly distributed. In short, let your cat make up your password.
As stated above, I cannot see anyone’s password in plain text, the password field is blank when I look at someone’s file. I can change a password or instruct the system to email a user’s password to him or her, though.
Oh, and don’t use Swordfish. EVERYONE guesses Swordfish.
Shit.
This explains certain…um. Well, okay. Lesson learned.
Okay, seriously. Aside from dictionary words, I’d politely add that anyone using arcane Techno-Speak is also courting disaster. No matter what your sub-specialty is, you are probably not the only person to know what the word is and means. I shoulda let the cat pick the password.
Does our software permit the use of &^%(#$(& and such?
Cartooniverse, or should I say, cARtOonIvErse
I guess I need to clarify the parenthetical comment in my last post here.
I was worried that mods might think that I was “helping” crackers obtain people’s passwords. So I wanted to make clear that the intention of my post was so that regular people would understand how easy it is to crack poorly chosen passwords. The “you” in that sentence was a “royal you” (!) and not intended to be addressed to mods personally.
Like Some Guy, one of the most easily broken passwords was a senior computer center employee.
Me: Look, ------, “spring” is not a good password. It’s short, in the dictionary and monocase. And since you have root privledges, this means that everybody on the system is at risk.
Response: blank look.
At the last college I taught at, the most common password was boyfriend’s name. Day 1, CS 101 lab. “Don’t use your boyfriend’s name.” Guess what over half picked?
Same here. I had been part of the staff as a chat host during our last month or so at AOL. Still have my Staff coffee mug.
VB3 uses several MD5 encryptions (or “hashing”, to be more correct) along with a random salt in its password. This makes it quite a bit more secure than Version 2.x, but you still can brute-force crack it. Especially if you can get the password and work with it online, by some sort of SQL injection exploit or cracking the file system or user accounts, or by having helicopter-rapelling ninjas come in through your roof and seizing the server. I don’t know if the encrypted password is stored in the cookie or not with VB3, but the ninjas might know.
My custom recipe and wine review database uses a link to a separate VB2-format (but not the actual table) database table that encrypts/decrypts the passwords as needed. Then I rotate and re-encrypt things with a custom encryption algorithm I wrote so someone having access to the one table can’t do anything with it to affect my board. Safety first, middle, and last.
In theory you could spend time offline cracking passwords once you got the encrypted text, but there are a few steps in the security breach chain that have to happen. It’s likely easier to fall prey to a keylogger trojan or sniffer than anything else.
This implies two very startling facts:
1: Over half of your CS students are of a gender and orientation as to have boyfriends.
2: Over half of your CS students have a social life
I’m not sure which I find more surprising.
As for security of passwords, it depends on how important the thing is you’re protecting. Way back when I first joined this board, I just used my birthdate for my password, since the worst that could happen would be that someone would make a post in my name (which the mods could clear up, with a few e-mails), and I wasn’t likely to be a target anyway. But once I was in the running for a mod position, I immediately changed it to something secure (see Lynn’s rules).
Actually, Chronos, I was paraphrasing the rules that YOU had taught ME. I just injected the “let your cat make up your password” and “swordfish” bits. 
Just a quick warning. One time I changed my SDMB password to something chock full of symbols, and one or two of them made it physically impossible to input my password. I remember it was 10 characters long, but after I submitted it, it said it was the wrong password, and it only had six asterisks in the box! I had to email an administrator and ask it to be changed. I don’t know which ones actually caused the problem, but nowadays I stay away from the symbols that are used specially in system strings: slash, backslash, quote, apostrophe, asterisk, and maybe even exclamation and question.
Testing:
KiLlhuMan
sHaVeDOgg
fisshes
:eek:
My students were minority females. And, well, I’m neither. So quite a bit different crowd from the usual stereotype, in more ways than just social life. Since they had no interest in getting into the internals of systems, this made them naive on security. But many of them were top-notch people, just not in the typical way.
It was an “interesting experience”, but after several years I desired something less “interesting” (plus higher pay and less work). Just in time for the dot.com bubble to burst. Oh, well.
Alarm bells start ringing at this point. As a general rule, never, EVER write your own custom encryption algorithms. It’s deceptively hard to do and often, you can end up making things LESS secure with your homebrew, fancy algo. Go with tried and true implementations which have withstood a thousand eyeballs instead.
If the algorithm I use is a meta-algorithm (encrypting a previously encrypted data done under a known, standard algorithm) I fail to see how it somehow becomes less secure. In fact, if that were true then codes could be compromised by simply re-encrypting them.
I think perhaps you mis-read, or I wasn’t clear; each is as likely. I use the standard vB MD5 algoritms, then I apply on top of that an additional encryption that I made myself. Is my algorithm good? Well, it’s a simple one-time pad generated from a composite set of algebraic forms of some differential equations that have special meaning to me. One-time pads can be very good and typically only lend themselves to brute-force cracking AFAIK.
Una Persson, your reply, instead of allaying fears, actually increases my fears. You call something a “one time pad” that most obviously isn’t one in the slightest. A one time pad is generated from a purely random source. It’s also used “one time”, and I don’t see how that can possibly be of use in password encrypting.
Secondly, while many people believe that cascading encryption algorithms is a universally good thing, but it frequently isn’t done right and things are made worse.
In designing rock solid cryptographic software, in addition to the encryption scheme used, a lot of concern is needed about how and where critical info is stored during the execution of the program. Is the key stored in memory? On the disk? Visible on the command line for someone doing a “ps” (or equiv.), etc.?
So in the case of cascading algorithms, how the data is kept secure while it is being passed from the first program to the second is a major concern.
Keep in mind the professional cryptographers and computer security experts know a tremendous number of amazingly obscure tricks that can be applied that even seasoned programmers don’t know about.
(This may start off looking like bragging, but I’m actually making the opposite point.)
One week after RSA encryption was invented I was on a long ride in the back seat of a car with R and A. I have been an eyewitness to some of the major developments in recent years in cryptography. I have written papers on Algorithmic Information Theory, one of the cornerstones of cryptography.
But I know that compared to the real experts I am still a bench warmer at a rookie league farm team.
You really need to take Shalmanese’s post to heart.