Page 2 of 3

Re: Bcrypt email addresses?

Posted: Fri Aug 24, 2018 12:28 pm
by thecoalman
Mick wrote:
Fri Aug 24, 2018 11:59 am
I wasn’t aware porn was illegal.
The threat was to send the video to my email contacts. :shock: Of course I sent them the money, now they want to put me in contact with some Nigerian Prince.

Re: Bcrypt email addresses?

Posted: Sat Aug 25, 2018 9:48 am
by John connor
I got one of those E-mails once and with all spam I just report it to the spamcop website. If I see a link to their website I report it to the host.

I wonder if it be possible to PGP the email addresses and the private key could be generated with the chosen Admin's user password. So to gain access to all of the E-mail addresses they'd have to crack the Bcrypted hash of the chosen Admin. No small feat if the password is particularly complex.

I use very complex passwords with the PWDHash add-on in my browser.

Re: Bcrypt email addresses?

Posted: Sat Aug 25, 2018 1:19 pm
by Paul
The password will need to be known to phpBB, so like said before, it doesn't help much because when someone has access to a database, the chance he access to the files is pretty big.

Re: Bcrypt email addresses?

Posted: Sat Aug 25, 2018 4:41 pm
by John connor
I hate having to repeat myself. Read what I said. I said the password would be based on an Admin account. Since if the Admin account was pretty strong and complex, it would be next to impossible to crack that particular Bcrypt hash. So that Bcrypt hash can be used for the secret key for PGP. I reckon a complexicity meter would also need to be added to make sure the password is good enough for Admin usage. No probelm for me currently. My Admin password is over 20 characters with upper and lower case letters numbers and symbols. I have heard however that just one long sentence would be just as good. Sprinkle in a few numbers and letters and your good to go.

imgettingfedupwiththisorgasim816^&!

Not too shabby I suppose.

Re: Bcrypt email addresses?

Posted: Sat Aug 25, 2018 4:45 pm
by Paul
But phpBB will still need to have the password, in plaintext, somewhere to encrypt it. Email addresses aren't used when the administrator is just online, but they can be send at any moment, and as such at any moment phpBB needs to be able to encrypt and decrypt addresses, and as such at any moment phpBB needs to have access to the encryption key.

Using a password hash from the database makes that encryption even less usefull, as if the database leaks, you have both the encryption key (The hashed password), and the encrypted list of addresses, so it can be decrypted with that information.

Re: Bcrypt email addresses?

Posted: Sun Aug 26, 2018 8:38 am
by thecoalman
John connor wrote:
Sat Aug 25, 2018 4:41 pm
My Admin password is over 20 characters with upper and lower case letters numbers and symbols. I have heard however that just one long sentence would be just as good. Sprinkle in a few numbers and letters and your good to go.
Look into Keepass, the only limitations to the complexity and length is what is acceptable for what you are using it for. This is encrypted file so if your computer gets stolen not a loss. This is locally stored file however the the file can be stored on the cloud, SFTP etc. so it t can be accessed by multiple devices. I'm using a cloud service so I have local copies on each device that are updated when the device is started, The cloud service keeps old copies in case of corruption so I don't end up with corrupted file across all the devices.

https://keepass.info/

Re: Bcrypt email addresses?

Posted: Sun Aug 26, 2018 8:26 pm
by John connor
I do use Keepass. Both on my computers and on my phone. All machines are already encrypted with Truecrypt and I have mitigated any possible Evil Maid attack. I store the Keepass database in a SFX 7z archive for double the encryption and that is stored on DVD/RW kept in a fireproof safe. It's also uploaded to two cloud providers and my local home FTP server.

Re: Bcrypt email addresses?

Posted: Sun Aug 26, 2018 9:45 pm
by RMcGirr83
:shock: I hope I never get that paranoid.

Re: Bcrypt email addresses?

Posted: Sun Aug 26, 2018 10:03 pm
by canonknipser
Rich, those paranoid people are the very first target for attacks - let him be the canary bird for everyone else ;)

Re: Bcrypt email addresses?

Posted: Sun Aug 26, 2018 10:25 pm
by Dan Stylez
John connor wrote:
Sat Aug 25, 2018 4:41 pm
My Admin password is over 20 characters with upper and lower case letters numbers and symbols. I have heard however that just one long sentence would be just as good. Sprinkle in a few numbers and letters and your good to go.
That's pretty long, do you actually remember it?

Personally i pick a random car from a car park and use its number plate for a password, reverse it so "KN54 JDR" becomes "JDRkn54" if the car is an SRI i add that on end, "JDRkn54sri" doesn't take long to remember either.

Re: Bcrypt email addresses?

Posted: Mon Aug 27, 2018 1:24 am
by RMcGirr83
canonknipser wrote:
Sun Aug 26, 2018 10:03 pm
Rich, those paranoid people are the very first target for attacks - let him be the canary bird for everyone else ;)
Each site I use has a different, yet similar password. I use the first four letters in small case for the beginning and then similar text for the remaining.

For example on here, it could be something like this phpbChomper01!. On another site, say amazon, it could be amazChomper01!. Git hub, githChomper01! and so forth. Don't have to bother with all that other garbage. ;)

Complete believer and subscriber to the K.I.S.S. principle.

Re: Bcrypt email addresses?

Posted: Mon Aug 27, 2018 1:37 am
by thecoalman
RMcGirr83 wrote:
Mon Aug 27, 2018 1:24 am
Complete believer and subscriber to the K.I.S.S. principle.
With Keepass you only have to click the username box on a page. Switch to Keepass on the taskbar, right click the entry for the site and select autotype. Keepaass will minimize to taskbar, enter the username, password and even hit submit for you. :) I don't even use built in autocomplete on most sites if they are important like banking for example.

Re: Bcrypt email addresses?

Posted: Mon Aug 27, 2018 2:46 am
by John connor
canonknipser wrote:
Sun Aug 26, 2018 10:03 pm
Rich, those paranoid people are the very first target for attacks - let him be the canary bird for everyone else ;)
I run a tight ship no matter what I do up to and including my website. Canary?! I'm a wolf amongst sheep.

Re: Bcrypt email addresses?

Posted: Mon Aug 27, 2018 2:48 am
by John connor
thecoalman wrote:
Mon Aug 27, 2018 1:37 am
RMcGirr83 wrote:
Mon Aug 27, 2018 1:24 am
Complete believer and subscriber to the K.I.S.S. principle.
With Keepass you only have to click the username box on a page. Switch to Keepass on the taskbar, right click the entry for the site and select autotype. Keepaass will minimize to taskbar, enter the username, password and even hit submit for you. :) I don't even use built in autocomplete on most sites if they are important like banking for example.
Or you can use this: https://github.com/pfn/passifox


I also use PWDhash. Keepass is for other things like Amazon S3 credentials, 2FA backup codes, etc.

Re: Bcrypt email addresses?

Posted: Mon Aug 27, 2018 8:43 am
by AmigoJack
John connor wrote:
Sat Aug 25, 2018 4:41 pm
My Admin password is over 20 characters with upper and lower case letters numbers and symbols. I have heard however that just one long sentence would be just as good. Sprinkle in a few numbers and letters and your good to go.
I use to have passwords being 40+ characters long and length is factor that is proposed by many softwares, but sadly it never voids other factors: if I have 40 characters I no longer need numbers and punctuation and whatnot - it simply won't occur in any bruteforce/dictionary attack - but all software nowadays isn't flexible enough to accept this.
John connor wrote:
Sun Aug 26, 2018 8:26 pm
All machines are already encrypted with Truecrypt
You mean all partitions, including the one with the operating system? Consider using Veracrypt for future partitions as it is less vulnerable.
John connor wrote:
Sun Aug 26, 2018 8:26 pm
in a SFX 7z archive for double the encryption
Why SFX? Executing a binary always needs to be considered hazardous. I hope you also store signatures to check against modifications.
John connor wrote:
Sun Aug 26, 2018 8:26 pm
on DVD/RW
Which format? For durabilty consider using M-DISC.