Password Security
1.1
Eliminate all plain ASCII storage of members' passwords. New Admin screen contains option to "Repair Passwords" which will automatically upgrade all existing plain passwords to encrypted versions, skipping the passwords which are already encrypted. Adds secret question / answer to registration, profile, and forget password sections. Forget password function has one more layer, after they enter their username they are presented with their secret question. If they answer correctly, a new password will be emailed to them. All Passwords and Secret Question answers are stored encrypted, no more plain ascii passwords anywhere!
Version 1.1 Update - Bug Fix
Fixed bug where when Admin modifies users' profile the users' password and secret answer were changed and unusable.
For detailed installation information please visit http://www.thewebworks.com/yabbmod.htm
Matthew C. Veno
http://www.thewebworks.com
Sources/Load.pl
$spass=crypt($settings[0],$pwseed);
if($spass ne $password && $action ne 'logout') { $username = ''; }
if($settings[0] ne $password && $action ne 'logout') { $username = ''; }
Sources/LogInOut.pl
if($settings[0] ne "$FORM{'passwrd'}") { $username = "Guest"; &fatal_error("$txt{'39'}"); }
$password = crypt("$FORM{'passwrd'}",$pwseed);
if($settings[0] ne $password) { $username = "Guest"; &fatal_error("$txt{'39'}"); }
english.lng
keys(%txt) = 749;
keys(%txt) = 760;
$txt{'749'} = "The 'number of posts' box can only contain digits.";
$txt{'750'} = "Repair all passwords";
$txt{'751'} = "Processing User: ";
$txt{'752'} = "Password Updated";
$txt{'753'} = "Password OK -- Skipped";
$txt{'754'} = "All the Passwords have been Repaired.";
$txt{'755'} = "Secret Question";
$txt{'756'} = "Choose a question only you know the answer to and that has nothing to do with your password. If you forget your password, we'll verify your identity by asking you this question.";
$txt{'757'} = "Answer to Secret Question";
$txt{'758'} = "The Secret Question was not filled out. It is required.";
$txt{'759'} = "The Answer to Secret Question was not filled out. It is required.";
$txt{'760'} = "Sorry, that is not the correct answer!";
Sources/Admin.pl
$txt{'610'} $txt{'750'}
$password = crypt($settings[0],$pwseed);
$password = $settings[0];
sub RepairBoards {
sub RepairPasswords {
&is_admin;
@users = '';
$yytitle = "$txt{'750'}";
&header;
opendir(DIR, "$memberdir") || die "$txt{'230'} ($memberdir) :: $!";
@contents = readdir(DIR);
closedir(DIR);
print qq~$txt{'750'} ~;
foreach $line (sort @contents){
$line =~ m~(.+)\.(.+)~;
if ($2 eq 'dat' && $1 ne 'admin') {
my $user = $1;
print qq~$txt{'751'} $user -- ~;
fopen(FILE, "$memberdir/$user.dat");
@memsettings=;
fclose(FILE);
foreach (@memsettings) {
$_ =~ s~[\n\r]~~g;
}
if ((substr $memsettings[0],0,2) ne $pwseed) {
fopen( FILE, ">$memberdir/$user.dat", 1);
$cryptpass = crypt("$memsettings[0]",$pwseed);
print FILE "$cryptpass\n";
for ($i=1;$i<=$#memsettings;$i++) {
print FILE "$memsettings[$i]\n";
}
fclose(FILE);
print qq~$txt{'752'} ~;
}
else { print qq~$txt{'753'} ~; }
}
}
print qq~