phpBB password auditing tools?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
thenickdude
Registered User
Posts: 16
Joined: Mon Nov 17, 2008 6:28 am

phpBB password auditing tools?

Post by thenickdude » Sat Jun 19, 2010 1:48 am

Hi there everyone,

I'm the administrator of a large phpBB forum. We started logging failed login attempts on our forum last year. We've been using the logs to identify accounts which have been suffering password-guessing attacks, and find people who are trying to guess passwords. This is distressingly common. We have reCAPTCHA appearing after 3 failed login attempts which slows attackers down enough to basically stop them. However, they can make 3 attempts each on many different accounts in a session and compromise a significant proportion of accounts. Our users are terrible at picking secure passwords. We haven't seen anyone using an automated tool to compromise accounts, these are people attacking it manually.

Are there any tools we can use to audit our phpBB user passwords? We only really need to have it try 10-100 different passwords for each user to weed out the very worst passwords (like "password1" or "abcd1234"). We can then PM these users and get them to improve their account security. If not, I'll write it myself, just checking if there is something already available :)

User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Re: phpBB password auditing tools?

Post by EXreaction » Sat Jun 19, 2010 3:13 am

Sorry, but you won't receive support on how to reverse-engineer or record plaintext passwords.

You can use the password minimum requirements settings to make your users use more secure passwords.

thenickdude
Registered User
Posts: 16
Joined: Mon Nov 17, 2008 6:28 am

Re: phpBB password auditing tools?

Post by thenickdude » Sat Jun 19, 2010 6:34 am

The password minimum requirements are not useful. If we require people to have a number, they will add a "1" at the end. If we require mixed case, the first letter will be a captial. Nobody will remember a password that includes symbols. And minimum complexity requirements don't help our users who have already signed up.

I'll start writing that auditing tool now.

User avatar
MasterZ
Registered User
Posts: 712
Joined: Wed Sep 24, 2003 5:33 am
Contact:

Re: phpBB password auditing tools?

Post by MasterZ » Sat Jun 19, 2010 8:33 am

One idea you could do is make a script that compares an entered password (when changing passwords or signing up) to a list of weak passwords, and then if it fails do not let the user change to that password. Should be a fairly simple script to make. Then all you have to do is run another script that sets the password expiration date on everyone's account, forcing them to change their password which would be checked against your list. This way you are not "auditing" the passwords, but just ensuring that the passwords entered are not easily guessed passwords.

The thing about brute forcing accounts like that, is if someone finds a list of usernames (which is easy to do) then they can just try the 3 most common passwords on each account, someone is bound to be using one...

thenickdude
Registered User
Posts: 16
Joined: Mon Nov 17, 2008 6:28 am

Re: phpBB password auditing tools?

Post by thenickdude » Sat Jun 19, 2010 8:49 am

That's a good idea, MasterZ. I would like to see a dictionary check added to the password minimum requirements system - I'll check if there is a mod for that.

The problem with expiring our users' passwords is that a non-zero (and possibly large) proportion of them don't know their passwords. They actually rely on the "remember me on this computer" option and so log into the forum about every six months whether they're active every day or not... :). We don't currently validate email addresses on signup, so a large percentage of them also have invalid board email addresses. That makes regaining access to their accounts very difficult when the "remember me" system fails (or their password gets expired).

User avatar
MasterZ
Registered User
Posts: 712
Joined: Wed Sep 24, 2003 5:33 am
Contact:

Re: phpBB password auditing tools?

Post by MasterZ » Sat Jun 19, 2010 8:55 am

thenickdude wrote:That's a good idea, MasterZ.
Thanks :D
thenickdude wrote: I would like to see a dictionary check added to the password minimum requirements system - I'll check if there is a mod for that.
That would be a nice MOD... If I didn't have so many unfinished on my plate I would even consider doing that one. :D
thenickdude wrote: The problem with expiring our users' passwords is that a non-zero (and possibly large) proportion of them don't know their passwords. They actually rely on the "remember me on this computer" option and so log into the forum about every six months whether they're active every day or not... :). We don't currently validate email addresses on signup, so a large percentage of them also have invalid board email addresses. That makes regaining access to their accounts very difficult when the "remember me" system fails (or their password gets expired).
Well to that I say that's what the "forgot password" is for, and if they do not know their email or if they entered the wrong email then this will teach them to make sure it is correct next time. :p

Comkid
Registered User
Posts: 132
Joined: Thu Mar 25, 2010 5:40 am

Re: phpBB password auditing tools?

Post by Comkid » Sat Jun 19, 2010 9:30 am

For the anti-dictionary, would you think it'd be better to remove the numbers and special character when checking or leave them, for example:

Code: Select all

pass

Code: Select all

pass1

Code: Select all

p1a2s3s4
Do you think the anti-dictionary should stop all three, or which ones?
I ist Comkid :P

User avatar
MasterZ
Registered User
Posts: 712
Joined: Wed Sep 24, 2003 5:33 am
Contact:

Re: phpBB password auditing tools?

Post by MasterZ » Sat Jun 19, 2010 9:37 am

A traditional "smart dictionary" hack goes through the set of words replacing common numbers for letters (0 for o, 3 for e, etc) as well as adding just a few digits to the end (single digit, or "123").

Could just make a list of common words, all lowercase, then convert the password entered to lowercase just for your check to reduce strain on the server (vs. having to go through each letter capitalized) and then have the script automatically add the numbered versions of words to the array that you are checking.

I do not see how you will do this without having a large strain on the server....

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29247
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: phpBB password auditing tools?

Post by Marshalrusty » Sat Jun 19, 2010 1:47 pm

A while ago, I found out that my mother used her maiden name as a password. Naturally, I made her change it because that's one of the first things I would try. Keep in mind though, that I would have gone through quite a few other things before coming to her maiden name. I can't imagine how long it would have taken with the 3-attempt => CAPTCHA condition.

Even using alphanumeric lowercase characters, the number of possible combinations with 6 characters is 36^6, which is 2,176,782,336. I really couldn't imagine that all of your users would all be selecting from the same pool of 1000 passwords (which is what would be necessary to make them guessable).

What you should do is add a note to the registration page asking users to select strong passwords. Raise the required length to 9 (there are fewer words with 9 characters) which will force everyone to get creative. Also post a topic on the board about this. The senior users are the ones likely getting targeted most, so they are the ones you should be focusing on educating.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

User avatar
MasterZ
Registered User
Posts: 712
Joined: Wed Sep 24, 2003 5:33 am
Contact:

Re: phpBB password auditing tools?

Post by MasterZ » Sat Jun 19, 2010 5:31 pm

Or just use phpBB OpenID :D There are some providers that have strong authentication methods such as three factor authentication (https://pip.verisignlabs.com). Then I just need to make the MOD force the users to use one of the stronger OpenID providers... :D

ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: phpBB password auditing tools?

Post by ToonArmy » Sat Jun 19, 2010 10:24 pm

I've never used it but you should take a look at the PHP crack extension.
MasterZ wrote:Then I just need to make the MOD force the users to use one of the stronger OpenID providers... :D
Defeating the whole 'Open' part in OpenID. ;)
Chris SmithBlogGitHub
Image
In a foreign field he lay. Lonely soldier unknown grave. On his dying words he prays. Tell the world of Paschendale.

User avatar
igorw
Former Team Member
Posts: 8024
Joined: Fri Dec 16, 2005 12:23 pm
Location: {postrow.POSTER_FROM}
Name: Igor Wiedler

Re: phpBB password auditing tools?

Post by igorw » Sat Jun 19, 2010 11:29 pm

Marshalrusty wrote:Raise the required length to 9 (there are fewer words with 9 characters) which will force everyone to get creative.
Interestingly, if a large portion of users use real words for passwords this would actually make a remote dictionary attack more likely to succeed.
Igor Wiedler | area51 | GitHub | trashbin | Formerly known as evil less than three

User avatar
MasterZ
Registered User
Posts: 712
Joined: Wed Sep 24, 2003 5:33 am
Contact:

Re: phpBB password auditing tools?

Post by MasterZ » Sun Jun 20, 2010 12:10 am

ToonArmy wrote:Defeating the whole 'Open' part in OpenID. ;)
OpenID is awesome... I do not think I would change anything about it. Having a decentralized authentication provides a trusted, redundant authentication system for little to no cost. It also provides the ability to be more secure than standard websites would normally use. By using verisign for my OpenID provider means that any website/forum I sign up to using OpenID is automatically using 3 factor authentication. Something that would otherwise be unavailable to me without OpenID.

thenickdude
Registered User
Posts: 16
Joined: Mon Nov 17, 2008 6:28 am

Re: phpBB password auditing tools?

Post by thenickdude » Sun Jun 20, 2010 2:11 am

Marshalrusty wrote:A while ago, I found out that my mother used her maiden name as a password. Naturally, I made her change it because that's one of the first things I would try. Keep in mind though, that I would have gone through quite a few other things before coming to her maiden name. I can't imagine how long it would have taken with the 3-attempt => CAPTCHA condition.
The thing is, if you're not after a specific account then you can just try the 3 most common passwords on many accounts. Check out the list of most common passwords here from a study of 100,000 leaked passwords: http://blog.jimmyr.com/Password_analysi ... 8_2009.php . Note that the password "123456" is used by 3% of users and that the 10 most common passwords are together used by 11% of users!
Even using alphanumeric lowercase characters, the number of possible combinations with 6 characters is 36^6, which is 2,176,782,336.
Yes, random passwords are definitely unguessable.
What you should do is add a note to the registration page asking users to select strong passwords. Raise the required length to 9 (there are fewer words with 9 characters) which will force everyone to get creative. Also post a topic on the board about this. The senior users are the ones likely getting targeted most, so they are the ones you should be focusing on educating.
Actually, our forum accounts are attached to a game. In our game, each account has a random chance of getting something really valuable, so each account has a similar value. They aren't being attacked to forge their identities, they're being attacked to steal their stuff :). The most vulnerable are also the ones who are least likely to comply with any of our security device.
Last edited by thenickdude on Sun Jun 20, 2010 2:14 am, edited 1 time in total.

thenickdude
Registered User
Posts: 16
Joined: Mon Nov 17, 2008 6:28 am

Re: phpBB password auditing tools?

Post by thenickdude » Sun Jun 20, 2010 2:12 am

MasterZ wrote:Or just use phpBB OpenID :D There are some providers that have strong authentication methods such as three factor authentication (https://pip.verisignlabs.com). Then I just need to make the MOD force the users to use one of the stronger OpenID providers... :D
I love OpenID but our users could never figure it out. They are mostly young teens :).

Post Reply

Return to “phpBB Discussion”