Hacking Passwords Question

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
Kane
Registered User
Posts: 75
Joined: Tue Jan 22, 2002 6:49 pm

Hacking Passwords Question

Post by Kane »

Hi, I have a question.

Don't worry, this thread is not about phpBB security holes. :D

I have a member on one of my forums that had his password cracked a few months ago. He foolishly used the same password on another forum(a non-phpBB forum that didn't encrypt passwords) and the admin/mod of that forum used the password to access this members account on my forum.

That situation has been sorted out and the member changed his password since than. Now here's my question...

I am logged in on my forum account from both work and home. When I change my password at home I am still logged in at work. Correct?

So wouldn't this mean that even though this member changed his password the culpit still secretly has access to his account??? (Unless he deleted his cookies or logged out)

I'm asking because this member will be made a mod soon.
User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

Moved.
User avatar
AsAf92
Registered User
Posts: 102
Joined: Tue Jan 06, 2004 1:57 pm

Post by AsAf92 »

you can change the password of this user by the ACP.
My MODs:
Review Mod : In development (no url avilable)
User avatar
CTCNetwork
Former Team Member
Posts: 15424
Joined: Fri Dec 19, 2003 3:50 am
Location: In that Volvo behind you!
Contact:

Post by CTCNetwork »

The session he is logged into at work should expire after 3600 seconds (By default). So if it takes less time than that to get from work to home.... :(

This could be resolved by reducing session length - say 1800 instead (in the Admin panel).

But shouldn't he log out when leaving work? Simple matter of security...

Not sure, but it could be that sessions for Mods and Admins are different than other forum users... :?
Density:- Not just a measurement~Its a whole way of Life.! ! !
| Welcome! | RTFM!!! | Search! It's Easy! | Problem? | Spam? | Advice! |
Kane
Registered User
Posts: 75
Joined: Tue Jan 22, 2002 6:49 pm

Post by Kane »

You misunderstood my question. It has nothing to do with work or home, I was just using that as an example.

My question is; If one person gets your password and logs into your account using auto-login, you find out and change your password...does this person still have access to your account?

He's using auto-login and doesnt have to type in the password again.

Would the hacker still have access? If so, what can you do about this problem?
User avatar
CTCNetwork
Former Team Member
Posts: 15424
Joined: Fri Dec 19, 2003 3:50 am
Location: In that Volvo behind you!
Contact:

Hacker

Post by CTCNetwork »

Hi,

Ok, does this Hacker post? Or have you seen him on line in the forum?

If yes, you can id the IP address and add it to your block list.

When your user changes the password, if the Hacker is on line in the forum,, he can in theory rechange it, as the "old" password was used for his session.

You as Admin can change the users password and mail it to him. You can check to see if the hacker is on the forum before you do this (and the IP block will help you keep him out).

Hope this helps more. . . :D
Density:- Not just a measurement~Its a whole way of Life.! ! !
| Welcome! | RTFM!!! | Search! It's Easy! | Problem? | Spam? | Advice! |
Locked

Return to “2.0.x Support Forum”