Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
forums.gentoo.org password security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
NP-Hardass
Developer
Developer


Joined: 24 Mar 2013
Posts: 15

PostPosted: Sun Mar 24, 2013 1:35 am    Post subject: forums.gentoo.org password security Reply with quote

I just signed up for an account, and noticed that upon registration, my password was emailed in plaintext to me.
That's definitely a major no-no on it's own. But since your system was able to plaintext sent it to me in the first place, I'm going to assume that they are also stored in plaintext... That's pretty bad security wise. Can someone look into this and comment?
Back to top
View user's profile Send private message
jpc22
Apprentice
Apprentice


Joined: 29 Jan 2012
Posts: 195

PostPosted: Sun Mar 24, 2013 1:49 am    Post subject: Reply with quote

Cannot confirm if they are stored in plain text, but i did not pay attention to that when i signed up.

Otherwise i think/hope the rest of gentoo services/features are safer.

Forum password safety is not that much dramatic compared to other stuff that could be compromised like mirrors, but it still needs to be adressed like you pointed out.
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 3130
Location: UK

PostPosted: Sun Mar 24, 2013 1:53 am    Post subject: Reply with quote

It's phpBB 2.0.23. The password is stored as an MD5 hash and only sent back as plaintext because you just submitted it in plaintext.

In short you have nothing to worry about, as long as the URL bar starts with "https:".
Back to top
View user's profile Send private message
NP-Hardass
Developer
Developer


Joined: 24 Mar 2013
Posts: 15

PostPosted: Sun Mar 24, 2013 2:30 am    Post subject: Reply with quote

Thanks for the response :)

From what I've read online, the phpBB 2 systems use an unsalted hash. And we don't force the login to https, nor do we by default link to https from the gentoo.org website. So I think that alone is insufficient to a claim at mitigation.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 5170

PostPosted: Sat Mar 30, 2013 2:08 pm    Post subject: Reply with quote

Ant P. wrote:

In short you have nothing to worry about, as long as the URL bar starts with "https:".


as long as you don't read that mail from a public wifi :)
just like it's funny to see so many people using mail checker on their laptop and running everywhere with it enable.
Back to top
View user's profile Send private message
zamabe
n00b
n00b


Joined: 21 Aug 2015
Posts: 7

PostPosted: Fri Aug 21, 2015 1:52 am    Post subject: Reply with quote

*grumbles about this still being a thing in 2015*
Back to top
View user's profile Send private message
The Doctor
Veteran
Veteran


Joined: 27 Jul 2010
Posts: 1858

PostPosted: Fri Aug 21, 2015 2:15 am    Post subject: Reply with quote

zamabe wrote:
*grumbles about this still being a thing in 2015*
It isn't like that password is protecting anything important so I'm fine with weaker security here.

If you are suffering from password reuse, you are doing something very wrong.
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
zamabe
n00b
n00b


Joined: 21 Aug 2015
Posts: 7

PostPosted: Fri Aug 21, 2015 2:18 am    Post subject: Reply with quote

The Doctor wrote:
...I'm fine with weaker security here.

If you are suffering from password reuse, you are doing something very wrong.

Yay, I'm not.

Shifting the blame of *bad* security to the person who isn't responsible for the security the system employs is ..... illogical and wrong as a point of order.
Back to top
View user's profile Send private message
maruru
n00b
n00b


Joined: 22 Sep 2015
Posts: 9

PostPosted: Tue Sep 22, 2015 6:15 pm    Post subject: Reply with quote

[list]
The Doctor wrote:
zamabe wrote:
*grumbles about this still being a thing in 2015*
It isn't like that password is protecting anything important so I'm fine with weaker security here.

If you are suffering from password reuse, you are doing something very wrong.


Well, it sure is not right to reuse a password. But still... what is wrong with the devs here? I thought Gentoo might rock my Desktop in a world which has become rather aware of security (post-Snowden era). But now I really question the security. If the Gentoo devs can't even manage to bring a bare minimum of security to their web services, how can they garantuee for anything in their Linux distribution?
This is bad. This is a no! Update to a later version of phpBB, switch the forum software or shut it down entirely.
Passwords should always be

  • transmitted via TLS
  • stored in a safe way (e.g. use bcrypt with 10+ iterations)
  • never ever in a million years be sent away from the server in any way


Sorry if this sounds harsh, but I am a developer who is very concerned about the security of sensitive data.
For further info, please visit OWASP and especially the ASVS project over there!

This topic has been open for over 2 years (!) and still no one did the least to improve the situation.
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 3130
Location: UK

PostPosted: Wed Sep 30, 2015 4:53 pm    Post subject: Reply with quote

maruru wrote:
But still... what is wrong with the devs here?

They're massively understaffed and keeping the lights on through charity of others.

Quote:
Update to a later version of phpBB, switch the forum software or shut it down entirely.

And how do you propose they migrate the ~8 million posts and long list of added functionality, given the above point?

Quote:
Sorry if this sounds harsh, but I am a developer who is very concerned about the security of sensitive data.
For further info, please visit OWASP and especially the ASVS project over there!

This topic has been open for over 2 years (!) and still no one did the least to improve the situation.

You're a developer? Patches welcome.
_________________
ebuilds | Perl 6 ebuilds | runit
Back to top
View user's profile Send private message
zamabe
n00b
n00b


Joined: 21 Aug 2015
Posts: 7

PostPosted: Wed Sep 30, 2015 8:40 pm    Post subject: Reply with quote

Ant P. wrote:
Quote:
Sorry if this sounds harsh, but I am a developer who is very concerned about the security of sensitive data.
For further info, please visit OWASP and especially the ASVS project over there!

This topic has been open for over 2 years (!) and still no one did the least to improve the situation.

You're a developer? Patches welcome.

I mean, this person doesn't even need to be a developer. I spent 5 seconds on google to find that the mail template causing this issue is at `language/en/email/*.txt`. In any case, would you mind pointing to where the source for this modified forum is that you suggest random developers submit patches for to make your "put up or shut up" more reasonable?

Ant P. wrote:
Quote:
Update to a later version of phpBB, switch the forum software or shut it down entirely.

And how do you propose they migrate the ~8 million posts and long list of added functionality, given the above point?

Errrrr, your question presumes that doing anything at all requires fundamental changes and schema migration, instead of removal of the existing code which mails a user their plaintext password based on later versions of this version of phpBB, especially since you say that the forum software has already been heavily modified. I don't find this a ridiculous suggestion; even if they still use MD5 for password storage, they're no longer outright leaking the plaintext. Furthermore, phpBB v2 has received patches from its original authors which I don't doubt the devs here have made efforts to incorporate, but the fact that they are still sending passwords in mails suggests that this particular subject has not been given very much time or attention at all. Trying to sweep it back under the rug by suggesting it's too monumental a task isn't helpful.

Ant P. wrote:
maruru wrote:
But still... what is wrong with the devs here?

They're massively understaffed and keeping the lights on through charity of others.

That's a fine point, but suggesting that it is extremely abnormal/irresponsible for devs to ignore, or be unconcerned with, a security oversight like plaintext password leaking for at least two years does not mean that those posing questions about the devs are in any way unreasonable (or demonizing the staff/devaluing their charity/leaving the equivalent of a youtube comment in a flaming paper bag on their doorstep).
Back to top
View user's profile Send private message
szatox
l33t
l33t


Joined: 27 Aug 2013
Posts: 942

PostPosted: Wed Sep 30, 2015 9:23 pm    Post subject: Reply with quote

What if forum accounts are simply not considered very sensitive?
Everything of any importance (and quite some stuff of none) has been posted to be visible to the general public. You compare the account password to a "confidential" label on a briefcase. It might not stop determined offender, but it let's you know you are not supposed to look inside.
And this bad protection is still good enough to stop kids from pulling jokes on us.
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 8481

PostPosted: Fri Oct 02, 2015 3:57 am    Post subject: Reply with quote

zamabe wrote:
I mean, this person doesn't even need to be a developer. I spent 5 seconds on google to find that the mail template causing this issue is at `language/en/email/*.txt`. In any case, would you mind pointing to where the source for this modified forum is that you suggest random developers submit patches for to make your "put up or shut up" more reasonable?
If you can find "the" file that needs changed in "5 seconds on google" (hint: either you did not, or you cited "it" incorrectly), it should take you at most another 5 seconds to find "it" under gentoo.org, happy Googling.
zamabe wrote:
Ant P. wrote:
Quote:
Update to a later version of phpBB, switch the forum software or shut it down entirely.

And how do you propose they migrate the ~8 million posts and long list of added functionality, given the above point?

Errrrr, your question presumes that doing anything at all requires fundamental changes and schema migration, instead of removal of the existing code which mails a user their plaintext password based on later versions of this version of phpBB, especially since you say that the forum software has already been heavily modified. I don't find this a ridiculous suggestion; even if they still use MD5 for password storage, they're no longer outright leaking the plaintext. Furthermore, phpBB v2 has received patches from its original authors which I don't doubt the devs here have made efforts to incorporate, but the fact that they are still sending passwords in mails suggests that this particular subject has not been given very much time or attention at all. Trying to sweep it back under the rug by suggesting it's too monumental a task isn't helpful.
Did you not read the posts you were replying to? Regardless, let us recap for your benefit: maruru suggested upgrading phpBB, Ant P. pointed out that it is not quite as simple as just running the basic update scripts, you then rail against Ant P.'s comments as though they were (1) directed at you, (2) focused on changing e-mail templates, and (3) somehow not entirely factual; none of which are the case. Kindly take a moment to actually read what you are replying to, everyone involved will benefit, especially you.
zamabe wrote:
Ant P. wrote:
maruru wrote:
But still... what is wrong with the devs here?

They're massively understaffed and keeping the lights on through charity of others.

That's a fine point, but suggesting that it is extremely abnormal/irresponsible for devs to ignore, or be unconcerned with, a security oversight like plaintext password leaking for at least two years does not mean that those posing questions about the devs are in any way unreasonable (or demonizing the staff/devaluing their charity/leaving the equivalent of a youtube comment in a flaming paper bag on their doorstep).
Two years? The forums first went online in April of 2002, the repository containing the sources for the version of phpBB in use on this site has been active since July of 2005, the last time the e-mail templates involved in sending passwords to users were modified at all (for character encoding changes) was in September of 2007. Your urgency and stridency run counter to a rather distinct lack of actual problems caused by those templates in the past 8, 10 or indeed 13 years.

Furthermore, to do the job correctly would require changing templates for all supported languages; we do not have translators for all of those languages (technically, we do not have translators as such for any of them). While automated translations might be an option, if such translations were to be inaccurate it would require a suitably bilingual (at least) individual to effectively file and/or handle the resulting bug report, if it ever actually came.
Back to top
View user's profile Send private message
zamabe
n00b
n00b


Joined: 21 Aug 2015
Posts: 7

PostPosted: Sun Oct 04, 2015 5:42 am    Post subject: Reply with quote

Going to skip over replying point-by-point because now that the "Site Admin" is advocating doing nothing for bogus reasons, this is flat out depressing.

A few things:
Yes, I didn't respond to the comment made and never agreed with the one I supposedly defended, I responded to the direction it leads down.
Good use of sarcasm, I'll try to match.

Onward! Did you miss counting lessons? I'll help you out. If you started the forum at version 2 in 2002, there are the years 2002 to 2015. If you count them one by one, you find there are 13 years this forum has been operational. Is that at least 2 years? (psst, I'll help you cheat: yes) Has this problem existed the entire time? (psst, this whole test is going to be answer A) Is it actually relatively simple to fix? (Remember, all A)

To continue the theme of strong conclusions; Ignoring this thread/bug for at least two years, claiming this isn't a problem, and seriously saying that removing the line which contains the "here is your plaintext password" variable can't reasonably be done without i18n team's worth of submissions is to say that the gentoo project is a ludacris bureaucracy. It makes more sense that the guy with the Site Admin badge can't actually do anything to fix this, and even if they could they don't want to because pointing out that it's been there for a long time as if that's a bad thing is rude.

Hopefully conspiracy-challenge is a good one-up to sarcasm in your post which concludes that "we've always done it this way." Let's see how it plays out.

PS. The best that my googling had produced for the source to the forum which potentially has the templates in it is the Translator guide. I haven't tried installing cvs to clone it. Fill me in on whether this is the right path you were referring to when you decided this was a joke and backed up the worthless "put up or shut up" from the first poster with a worthless "google it."


Last edited by zamabe on Sun Oct 04, 2015 6:01 am; edited 1 time in total
Back to top
View user's profile Send private message
The Doctor
Veteran
Veteran


Joined: 27 Jul 2010
Posts: 1858

PostPosted: Sun Oct 04, 2015 6:00 am    Post subject: Reply with quote

If the fix is so simple, why don't you volunteer to do it? Answer, of course, is that it isn't.

You remind me about the guy who keeps his collection of old news papers in 5 character combination safe inside a locked room inside a fortress with a 24/7 armed guard. If the forum's security is breached an attacker can impersonate you to the forum and that is it. No one really wants your collection of old news papers or your forum account. Bending over backwards to protect data that isn't that sensitive to begin with just doesn't make sense.
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
zamabe
n00b
n00b


Joined: 21 Aug 2015
Posts: 7

PostPosted: Sun Oct 04, 2015 6:03 am    Post subject: Reply with quote

The Doctor wrote:
If the fix is so simple, why don't you volunteer to do it? Answer, of course, is that it isn't.


Code:
sed '/^.*{PASSWORD}.*$/d'


Yeah, it's that simple. It's a single line with the big, unique token "{PASSWORD}". Does it make sense to you why I'm incredulous about any possible validity to this still being a thing?

desultory wrote:
Kindly take a moment to actually read what you are replying to, everyone involved will benefit, especially you.


zamabe wrote:
PS. The best that my googling had produced for the source to the forum which potentially has the templates in it is the Translator guide. I haven't tried installing cvs to clone it. Fill me in on whether this is the right path you were referring to when you decided this was a joke and backed up the worthless "put up or shut up" from the first poster with a worthless "google it."
Back to top
View user's profile Send private message
The Doctor
Veteran
Veteran


Joined: 27 Jul 2010
Posts: 1858

PostPosted: Sun Oct 04, 2015 6:28 am    Post subject: Reply with quote

Seems to me like you don't actually care about fixing the problem, only hiding its existence.

As others have pointed out you are barking up the wrong tree.
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 8481

PostPosted: Mon Oct 05, 2015 3:55 am    Post subject: Reply with quote

zamabe wrote:
Going to skip over replying point-by-point because now that the "Site Admin" is advocating doing nothing for bogus reasons, this is flat out depressing.

A few things:
Yes, I didn't respond to the comment made and never agreed with the one I supposedly defended, I responded to the direction it leads down.
Good use of sarcasm, I'll try to match.

Onward! Did you miss counting lessons? I'll help you out. If you started the forum at version 2 in 2002, there are the years 2002 to 2015. If you count them one by one, you find there are 13 years this forum has been operational. Is that at least 2 years? (psst, I'll help you cheat: yes) Has this problem existed the entire time? (psst, this whole test is going to be answer A) Is it actually relatively simple to fix? (Remember, all A)

To continue the theme of strong conclusions; Ignoring this thread/bug for at least two years, claiming this isn't a problem, and seriously saying that removing the line which contains the "here is your plaintext password" variable can't reasonably be done without i18n team's worth of submissions is to say that the gentoo project is a ludacris bureaucracy. It makes more sense that the guy with the Site Admin badge can't actually do anything to fix this, and even if they could they don't want to because pointing out that it's been there for a long time as if that's a bad thing is rude.
Not having the resources at hand to fix something correctly is not the same as needing those resources to instate an unverified "fix" just to silence a squeaky wheel.

Not having gathered such resources might imply certain things about the priority of instating a fix for the problem in question, and in this case it does.
zamabe wrote:
Hopefully conspiracy-challenge is a good one-up to sarcasm in your post which concludes that "we've always done it this way." Let's see how it plays out.

PS. The best that my googling had produced for the source to the forum which potentially has the templates in it is the Translator guide. I haven't tried installing cvs to clone it. Fill me in on whether this is the right path you were referring to when you decided this was a joke and backed up the worthless "put up or shut up" from the first poster with a worthless "google it."
Your Google Skillz™ have failed you, though a bit of basic reasoning could easily lead you to a correct answer from what you have found.
zamabe wrote:
The Doctor wrote:
If the fix is so simple, why don't you volunteer to do it? Answer, of course, is that it isn't.


Code:
sed '/^.*{PASSWORD}.*$/d'


Yeah, it's that simple. It's a single line with the big, unique token "{PASSWORD}". Does it make sense to you why I'm incredulous about any possible validity to this still being a thing?
That is not necessarily true, you might actually be worth replying to if you can figure out why.
zamabe wrote:
desultory wrote:
Kindly take a moment to actually read what you are replying to, everyone involved will benefit, especially you.


zamabe wrote:
PS. The best that my googling had produced for the source to the forum which potentially has the templates in it is the Translator guide. I haven't tried installing cvs to clone it. Fill me in on whether this is the right path you were referring to when you decided this was a joke and backed up the worthless "put up or shut up" from the first poster with a worthless "google it."
You are the one who claimed to have such impressive Google Skillz™, so asking you to employ them could only be useless if either (1) Google had not indexed the relevant information (it has), or (2) your Google Skillz™ are not all they were claimed to be (that is entirely up to you). As for "patches welcome", that is only worthless if (1) you are unable to generate such patches; or (2) you are simply not worth working with, regardless of the technical merits of any patches you would generate; both of those are entirely under your control.

Some tips for you:

  • If you want to retain any credibility as a developer; avoid claiming that you have a certain set of skills, then balking at their slightest exercise.
  • If you want to retain credibility as a functional adult; when you are told that you are acting boorishly, the correct response is to consider that possibility and act accordingly to correct that behavior, not to take it as a sign that if you were only to apply yourself a bit more diligently you could be a proper jackass.
  • If you want appear overly self important and willfully ignorant, continue quoting yourself in successive posts.
Back to top
View user's profile Send private message
affinityvision
n00b
n00b


Joined: 06 Oct 2015
Posts: 3

PostPosted: Tue Oct 06, 2015 11:06 am    Post subject: Reply with quote

Glad, at least, to see this thread exists and isn't closed. But that's all.

My 32 character password, relayed back via email is a definite fail.

Password reset give me a nice 29 character password okay...

Trying to reset my password to use full character set (including high ascii) and limiting the new password to 32 characters; failed.... can't have password longer than 32 characters, it was exactly 32 characters.

Tried using a lesser character set, but still 32 characters and it was okay.

https only protects so much as well.

I understand that this isn't Gentoo the distro itself, but it is the "official" Gentoo forum (isn't it?) after all, surely this deserves far greater attention and priority, especially since it might be a person's first direct experience with the Gentoo community -- not a good start, first impressions can be very damaging.

So, for a user to have some kind of security they need to create an account and then change their password immediately; until then, there is an email showing the original password in some email archive (wanted or not and warranted or not).

Secure mechanisms for password handling need to be improved all over the Internet, here is a perfect example of one that is more serious than it might otherwise seem. Even if the password wasn't sent in clear text to the new registrant, there are other factors that should be put in play to secure user logins; passwords should be allowed to be any length and use any type of ASCII character, even if a reasonable minimum length is specified.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 5170

PostPosted: Tue Oct 06, 2015 11:36 am    Post subject: Reply with quote

affinityvision wrote:
So, for a user to have some kind of security they need to create an account and then change their password immediately; until then, there is an email showing the original password in some email archive (wanted or not and warranted or not).

No the only security is that this password is use only for the forum and you didn't use it for anything else.
Even a 4000 chars password is useless if by breaking in the forum base, anyone can catch your bank account password as well.

The forum password doesn't need to be strong, its task is to block anyone to use your forum account to post as you, not to protect your bank.
Back to top
View user's profile Send private message
tw04l124
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 2842
Location: A t z e l, lower austria

PostPosted: Wed Oct 07, 2015 8:40 am    Post subject: Reply with quote

That's why i had to reset it several times already because i forgot it, lol (no the browser forgot it)
Back to top
View user's profile Send private message
affinityvision
n00b
n00b


Joined: 06 Oct 2015
Posts: 3

PostPosted: Wed Oct 07, 2015 8:46 am    Post subject: Reply with quote

Having your browser remember the password is a different kind of fail.
Back to top
View user's profile Send private message
tw04l124
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 2842
Location: A t z e l, lower austria

PostPosted: Wed Oct 07, 2015 10:56 am    Post subject: Reply with quote

affinityvision wrote:
Having your browser remember the password is a different kind of fail.


depends. Bear in mind, that not everything needs such full protection, as it is only a support forum in the first place.

i boot from an unsecure bios chip / hardware platform, from an unencrypted / unhashed boot partition. which loads an initramfs whihc opens a lvm container which contains a luks partition with root.

Attack vectors are: unseucre hardware platform. no one knows what hte hardware really does (short summary)
Network => not sure if there are any loopholes / backdoors in my network stack
remote log in should be disabled but you never know what the webbrowser has holes / when you visit a bad website

I am upgrading my hardware and I will implement / secure backup and hash of boot this time. As long as we do not know what's in the hardware itself, and as the ASUS bios is just encrypted / you never know what's really in that.

I would say that my box is safe from the average windows 10 guy but not from someone with as much knowledge as myself.

Do you always lock your screen when you leave your computer for a coffee?

Endless topic, but thanks for your hint. Thats why i have choosen some random password and reset it when the browser forgets it.
Back to top
View user's profile Send private message
affinityvision
n00b
n00b


Joined: 06 Oct 2015
Posts: 3

PostPosted: Wed Oct 07, 2015 11:25 am    Post subject: Reply with quote

tw04l124 wrote:
Endless topic, but thanks for your hint. Thats why i have choosen some random password and reset it when the browser forgets it.

That's a pretty good answer all up, thank you. And yes, typically I DO lock my screen usually, but I'm not perfect.

Totally agree with you on all those possible attack vectors.

I do have to admit that I use s browser add-on to interface with KeePass... that is my weakest point, but I only do that on one desktop that is /almost/ locked away. The laptop that travels doesn't have that add-on.

Thanks
;-)
Back to top
View user's profile Send private message
zamabe
n00b
n00b


Joined: 21 Aug 2015
Posts: 7

PostPosted: Sat Oct 10, 2015 4:28 pm    Post subject: Reply with quote

Relevant bug https://bugs.gentoo.org/show_bug.cgi?id=431106
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum