Bcrypt email addresses?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2796
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Bcrypt email addresses?

Post by thecoalman » Fri Aug 24, 2018 12:28 pm

Mick wrote:
Fri Aug 24, 2018 11:59 am
I wasn’t aware porn was illegal.
The threat was to send the video to my email contacts. :shock: Of course I sent them the money, now they want to put me in contact with some Nigerian Prince.

User avatar
John connor
Registered User
Posts: 1726
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: Bcrypt email addresses?

Post by John connor » Sat Aug 25, 2018 9:48 am

I got one of those E-mails once and with all spam I just report it to the spamcop website. If I see a link to their website I report it to the host.

I wonder if it be possible to PGP the email addresses and the private key could be generated with the chosen Admin's user password. So to gain access to all of the E-mail addresses they'd have to crack the Bcrypted hash of the chosen Admin. No small feat if the password is particularly complex.

I use very complex passwords with the PWDHash add-on in my browser.

User avatar
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 24598
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Bcrypt email addresses?

Post by Paul » Sat Aug 25, 2018 1:19 pm

The password will need to be known to phpBB, so like said before, it doesn't help much because when someone has access to a database, the chance he access to the files is pretty big.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

User avatar
John connor
Registered User
Posts: 1726
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: Bcrypt email addresses?

Post by John connor » Sat Aug 25, 2018 4:41 pm

I hate having to repeat myself. Read what I said. I said the password would be based on an Admin account. Since if the Admin account was pretty strong and complex, it would be next to impossible to crack that particular Bcrypt hash. So that Bcrypt hash can be used for the secret key for PGP. I reckon a complexicity meter would also need to be added to make sure the password is good enough for Admin usage. No probelm for me currently. My Admin password is over 20 characters with upper and lower case letters numbers and symbols. I have heard however that just one long sentence would be just as good. Sprinkle in a few numbers and letters and your good to go.

imgettingfedupwiththisorgasim816^&!

Not too shabby I suppose.

User avatar
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 24598
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Bcrypt email addresses?

Post by Paul » Sat Aug 25, 2018 4:45 pm

But phpBB will still need to have the password, in plaintext, somewhere to encrypt it. Email addresses aren't used when the administrator is just online, but they can be send at any moment, and as such at any moment phpBB needs to be able to encrypt and decrypt addresses, and as such at any moment phpBB needs to have access to the encryption key.

Using a password hash from the database makes that encryption even less usefull, as if the database leaks, you have both the encryption key (The hashed password), and the encrypted list of addresses, so it can be decrypted with that information.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2796
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Bcrypt email addresses?

Post by thecoalman » Sun Aug 26, 2018 8:38 am

John connor wrote:
Sat Aug 25, 2018 4:41 pm
My Admin password is over 20 characters with upper and lower case letters numbers and symbols. I have heard however that just one long sentence would be just as good. Sprinkle in a few numbers and letters and your good to go.
Look into Keepass, the only limitations to the complexity and length is what is acceptable for what you are using it for. This is encrypted file so if your computer gets stolen not a loss. This is locally stored file however the the file can be stored on the cloud, SFTP etc. so it t can be accessed by multiple devices. I'm using a cloud service so I have local copies on each device that are updated when the device is started, The cloud service keeps old copies in case of corruption so I don't end up with corrupted file across all the devices.

https://keepass.info/

User avatar
John connor
Registered User
Posts: 1726
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: Bcrypt email addresses?

Post by John connor » Sun Aug 26, 2018 8:26 pm

I do use Keepass. Both on my computers and on my phone. All machines are already encrypted with Truecrypt and I have mitigated any possible Evil Maid attack. I store the Keepass database in a SFX 7z archive for double the encryption and that is stored on DVD/RW kept in a fireproof safe. It's also uploaded to two cloud providers and my local home FTP server.

User avatar
RMcGirr83
Recognised Extension Developer
Posts: 20894
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr
Contact:

Re: Bcrypt email addresses?

Post by RMcGirr83 » Sun Aug 26, 2018 9:45 pm

:shock: I hope I never get that paranoid.
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored

User avatar
canonknipser
Registered User
Posts: 1600
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Bcrypt email addresses?

Post by canonknipser » Sun Aug 26, 2018 10:03 pm

Rich, those paranoid people are the very first target for attacks - let him be the canary bird for everyone else ;)
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
Dan Stylez
Registered User
Posts: 152
Joined: Tue Jan 16, 2018 6:17 am
Contact:

Re: Bcrypt email addresses?

Post by Dan Stylez » Sun Aug 26, 2018 10:25 pm

John connor wrote:
Sat Aug 25, 2018 4:41 pm
My Admin password is over 20 characters with upper and lower case letters numbers and symbols. I have heard however that just one long sentence would be just as good. Sprinkle in a few numbers and letters and your good to go.
That's pretty long, do you actually remember it?

Personally i pick a random car from a car park and use its number plate for a password, reverse it so "KN54 JDR" becomes "JDRkn54" if the car is an SRI i add that on end, "JDRkn54sri" doesn't take long to remember either.

User avatar
RMcGirr83
Recognised Extension Developer
Posts: 20894
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr
Contact:

Re: Bcrypt email addresses?

Post by RMcGirr83 » Mon Aug 27, 2018 1:24 am

canonknipser wrote:
Sun Aug 26, 2018 10:03 pm
Rich, those paranoid people are the very first target for attacks - let him be the canary bird for everyone else ;)
Each site I use has a different, yet similar password. I use the first four letters in small case for the beginning and then similar text for the remaining.

For example on here, it could be something like this phpbChomper01!. On another site, say amazon, it could be amazChomper01!. Git hub, githChomper01! and so forth. Don't have to bother with all that other garbage. ;)

Complete believer and subscriber to the K.I.S.S. principle.
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2796
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Bcrypt email addresses?

Post by thecoalman » Mon Aug 27, 2018 1:37 am

RMcGirr83 wrote:
Mon Aug 27, 2018 1:24 am
Complete believer and subscriber to the K.I.S.S. principle.
With Keepass you only have to click the username box on a page. Switch to Keepass on the taskbar, right click the entry for the site and select autotype. Keepaass will minimize to taskbar, enter the username, password and even hit submit for you. :) I don't even use built in autocomplete on most sites if they are important like banking for example.

User avatar
John connor
Registered User
Posts: 1726
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: Bcrypt email addresses?

Post by John connor » Mon Aug 27, 2018 2:46 am

canonknipser wrote:
Sun Aug 26, 2018 10:03 pm
Rich, those paranoid people are the very first target for attacks - let him be the canary bird for everyone else ;)
I run a tight ship no matter what I do up to and including my website. Canary?! I'm a wolf amongst sheep.

User avatar
John connor
Registered User
Posts: 1726
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: Bcrypt email addresses?

Post by John connor » Mon Aug 27, 2018 2:48 am

thecoalman wrote:
Mon Aug 27, 2018 1:37 am
RMcGirr83 wrote:
Mon Aug 27, 2018 1:24 am
Complete believer and subscriber to the K.I.S.S. principle.
With Keepass you only have to click the username box on a page. Switch to Keepass on the taskbar, right click the entry for the site and select autotype. Keepaass will minimize to taskbar, enter the username, password and even hit submit for you. :) I don't even use built in autocomplete on most sites if they are important like banking for example.
Or you can use this: https://github.com/pfn/passifox


I also use PWDhash. Keepass is for other things like Amazon S3 credentials, 2FA backup codes, etc.

User avatar
AmigoJack
Registered User
Posts: 5324
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Bcrypt email addresses?

Post by AmigoJack » Mon Aug 27, 2018 8:43 am

John connor wrote:
Sat Aug 25, 2018 4:41 pm
My Admin password is over 20 characters with upper and lower case letters numbers and symbols. I have heard however that just one long sentence would be just as good. Sprinkle in a few numbers and letters and your good to go.
I use to have passwords being 40+ characters long and length is factor that is proposed by many softwares, but sadly it never voids other factors: if I have 40 characters I no longer need numbers and punctuation and whatnot - it simply won't occur in any bruteforce/dictionary attack - but all software nowadays isn't flexible enough to accept this.
John connor wrote:
Sun Aug 26, 2018 8:26 pm
All machines are already encrypted with Truecrypt
You mean all partitions, including the one with the operating system? Consider using Veracrypt for future partitions as it is less vulnerable.
John connor wrote:
Sun Aug 26, 2018 8:26 pm
in a SFX 7z archive for double the encryption
Why SFX? Executing a binary always needs to be considered hazardous. I hope you also store signatures to check against modifications.
John connor wrote:
Sun Aug 26, 2018 8:26 pm
on DVD/RW
Which format? For durabilty consider using M-DISC.
The worst thing about censorship is ███████████

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: Baidu [Spider] and 35 guests