Could someone with a packet sniffer find out my phpbb pass

[MPG187]

Could someone with a packet sniffer find out my phpbb password? I am just wary of this. When I sign in my password isn't send out in plaintext on the network is it? I assume and hope when I type my password a hash of my password is sent out...

[T0ny]

The password is sent in plain text during login

[MPG187]

That's not very good, so could someone find out my password?

Phpbb should use https or atleast uses checksums...

[Lumpy Burgertushie]

don't you think that if this was a problem that it would have come up some time in the last 7 or 8 years that phpbb has been around?



robert

[ric323]

This person would have to be on the same local network as you, and connected via a hub (not a switch or router) so they could see your packets.

[nuworld]

Like Robert said:

don't you think that if this was a problem that it would have come up some time in the last 7 or 8 years that phpbb has been around?

IMO: if this way/is a problem for ya. then there would be a ton of PHPBB owners pissed off and there forums being hacked.

Besides, As far as i know your password is saved on your server.
I have been down this road before when i had a member forget there login password and PMed me for there password. It can't be done.

I would not worry about it.
The odds of someone getting your password is about the same odds of winning the lottery.

[MPG187]

don't you think that if this was a problem that it would have come up some time in the last 7 or 8 years that phpbb has been around?

That does make sense.

I am running MS Network Monitor and I am seeing packets where my computer is not the source or destination. But I think most of them are ARP which are broadcast, right? So that's normal?

[Pony99CA]

That's not very good, so could someone find out my password?

Phpbb should use https or atleast uses checksums...

HTTPS? So you want everybody to have to buy a certificate (or use a self-signed one which generates warnings when people access your forum) and then set them up? I've heard setting up SSL is pretty difficult (but I've never tried).

If you have a certificate already, though, you might be able to use HTTPS. Look at the Server protocol setting on the Server settings page.

As for checksums, how would they help? Checksums validate that data (probably) wasn't changed; they aren't a form of encryption.

Steve

[Pony99CA]

This person would have to be on the same local network as you, and connected via a hub (not a switch or router) so they could see your packets.

I'm no security expert, but couldn't they also be at the Web server end or anywhere along the route the packets traveled when you pressed the Submit button?

Steve

[ric323]

This person would have to be on the same local network as you, and connected via a hub (not a switch or router) so they could see your packets.

I'm no security expert, but couldn't they also be at the Web server end or anywhere along the route the packets traveled when you pressed the Submit button?

Steve

I'm assuming the connection is physically secure from your ISP onwards.
If an attacker has physical access to your web server, they don't need to muck around waiting for you to type your password, there are much quicker ways to get in!

[MPG187]

A checksum would help because instead of submitting the password over the network, the checksum off the password would be sent.

If an attacker has physical access to your web server, they don't need to muck around waiting for you to type your password, there are much quicker ways to get in!

That's why you would use a checksum.

In phpbb are users passwords stored in the database as plain text?

[ric323]

A checksum would help because instead of submitting the password over the network, the checksum off the password would be sent.

That is no help. If this person was able to intercept your "checksum", then they only need to send the same checksum to log in...

In phpbb are users passwords stored in the database as plain text?

No, they are stored using a very complex "hash" function, which cannot be reversed.
See: Knowledge Base - Difference between encryption and hashing

[MPG187]

When someone signs up the hash gets stored in the database. So then the hash should be transferred to. Although it would be possible for someone to use the hash to login it would make it harder for less skilled users to get in.

[ric323]

You would then destroy a key step in the password security.
The whole point of using hashes is that even if someone got a copy of the database, they can NOT use the hash as a password, and there is no way to convert the hash into a working password.

[bantu]

Whether your password is transferred in plaintext or encrypted basically depends on whether you're using an encrypted connection (such as HTTPS, HTTP via SSH would also work , etc.) or not (such as plain HTTP).

The question whether HTTPS is available is handled by the webserver, therefore there is not much phpBB could do to provide HTTPS. phpBB however works with HTTPS, as it does with HTTP.

phpBB 3 uses the Portable PHP password hashing framework to store passwords as hashes in the database.

Hashing on the client side does not work properly, as the hash would become the new plaintext password and it also requires some sort of scripting such as JavaScript to do the hashing. Once intercepted, one can use the hash to login.

To make sure one can only access one site if your password has been intercepted, use common sense and use a different password on every site. Even using HTTPS does not guarantee that your password is completly secure. If an attacker has access to the other side of the encryption channel, such as the webserver on the other side, your password could still be taken as it is plaintext at some point.

However, what phpBB could do (and we're looking into that) is use a full-blown private-public-key mechanism/system like RSA to encrypt the password transfer on login. An example implementation would be jCryption, which is based on jQuery and again requires JavaScript.