Password Security 1.1 SP1 Eliminate all plain ASCII storage of members' passwords. New Admin screen contains option to "Repair Passwords" which will automatically upgrade all existing plain passwords to encrypted versions, skipping the passwords which are already encrypted. Adds secret question / answer to registration, profile, and forget password sections. Forget password function has one more layer, after they enter their username they are presented with their secret question. If they answer correctly, a new password will be emailed to them. All Passwords and Secret Question answers are stored encrypted, no more plain ascii passwords anywhere! Original Mod by Matthew C. Veno (http://www.thewebworks.com) Version 1.1 Update - Bug Fix Fixed bug where when Admin modifies users' profile the users' password and secret answer were changed and unusable. Version 1.1SP1 (by chrishartmann) Mod modified for use with YaBB 1 Gold - SP1 For detailed installation information please visit http://www.thewebworks.com/yabbmod.htm Chrishartmann http://chrishartmann.6x.to Sources/Load.pl $spass = crypt($settings[0],$pwseed); if($spass ne $password && $action ne 'logout') { $username = ''; } if($settings[0] ne $password && $action ne 'logout') { $username = ''; } english.lng $txt{'749'} = "The 'number of posts' box can only contain digits."; $pwtxt{'750'} = "Repair all passwords"; $pwtxt{'751'} = "Processing User: "; $pwtxt{'752'} = "Password Updated"; $pwtxt{'753'} = "Password OK -- Skipped"; $pwtxt{'754'} = "All the Passwords have been Repaired."; $pwtxt{'755'} = "Secret Question"; $pwtxt{'756'} = "Choose a question only you know the answer to and that has nothing to do with your password. If you forget your password, we'll verify your identity by asking you this question."; $pwtxt{'757'} = "Answer to Secret Question"; $pwtxt{'758'} = "The Secret Question was not filled out. It is required."; $pwtxt{'759'} = "The Answer to Secret Question was not filled out. It is required."; $pwtxt{'760'} = "Sorry, that is not the correct answer!"; Sources/AdminEdit.pl $password = crypt($settings[0],$pwseed); $password = $settings[0]; Sources/Admin.pl - $txt{'504'}
- $pwtxt{'750'}
sub AdminBoardRecount { sub RepairPasswords { &is_admin; @users = ''; $yytitle = "$pwtxt{'750'}"; opendir(DIR, "$memberdir") || die "$txt{'230'} ($memberdir) :: $!"; @contents = readdir(DIR); closedir(DIR); $yymain .= qq~

$pwtxt{'750'}
~; foreach $line (sort @contents){ $line =~ m~(.+)\.(.+)~; if ($2 eq 'dat' && $1 ne 'admin') { my $user = $1; $yymain .= qq~$pwtxt{'751'} $user -- ~; fopen(FILE, "$memberdir/$user.dat"); @memsettings=; fclose(FILE); foreach (@memsettings) { $_ =~ s~[\n\r]~~g; } if ((substr $memsettings[0],0,2) ne $pwseed) { fopen( FILE, ">$memberdir/$user.dat", 1); $cryptpass = crypt("$memsettings[0]",$pwseed); print FILE "$cryptpass\n"; for ($i=1;$i<=$#memsettings;$i++) { print FILE "$memsettings[$i]\n"; } fclose(FILE); $yymain .= qq~$pwtxt{'752'}
~; } else { $yymain .= qq~$pwtxt{'753'}
~; } } } $yymain .= qq~

$pwtxt{'754'}~; &template; exit; } Sources/Profile.pl

$pwtxt{'755'}:
$pwtxt{'756'} $pwtxt{'757'}:
if( $member{'bday1'} ne "" || $member{'bday1'} ne "" || $member{'bday1'} ne "" ) { &fatal_error("$pwtxt{'758'}") if($member{'secretquestion'} eq ''); &fatal_error("$pwtxt{'759'}") if($member{'secretanswer'} eq ''); fopen( FILE, ">$memberdir/$member{'username'}.dat", 1); print FILE "$member{'passwrd1'}\n"; fopen(SETTINGS, "$memberdir/$member{'username'}.dat"); @userProfileSettings = ; fclose(SETTINGS); chomp $userProfileSettings[0]; chomp $userProfileSettings[21]; if ($member{'passwrd1'} eq $userProfileSettings[0]) { $cryptpass = $member{'passwrd1'}; } else { $cryptpass = crypt("$member{'passwrd1'}",$pwseed); } if ($member{'secretanswer'} eq $userProfileSettings[21]) { $cryptanswer = $member{'secretanswer'}; } else { $cryptanswer = crypt("$member{'secretanswer'}",$pwseed); } fopen( FILE, ">$memberdir/$member{'username'}.dat", 1); print FILE "$cryptpass\n"; print FILE "$FORM{'hideemail'}\n"; print FILE "$member{'secretquestion'}\n"; print FILE "$cryptanswer\n"; $password = crypt("$member{'passwrd1'}",$pwseed); $password = $cryptpass; Sources/Register.pl ~; * $pwtxt{'755'}:
$pwtxt{'756'} * $pwtxt{'757'}: &fatal_error("($member{'username'}) $txt{'100'}") if(-e ("$memberdir/$member{'username'}.dat")); &fatal_error("($member{'username'}) $pwtxt{'758'}") if($member{'secretquestion'} eq ''); &fatal_error("($member{'username'}) $pwtxt{'759'}") if($member{'secretanswer'} eq ''); print FILE "$member{'passwrd1'}\n"; $cryptpass = crypt("$member{'passwrd1'}",$pwseed); print FILE "$cryptpass\n"; print FILE "$FORM{'hideemail'}\n"; print FILE "$member{'secretquestion'}\n"; $cryptanswer = crypt("$member{'secretanswer'}",$pwseed); print FILE "$cryptanswer\n"; YaBB.pl elsif ($action eq 'rebuildmemlist') { require "$sourcedir/Admin.pl"; &RebuildMemList; } elsif ($action eq 'repairpasswords') { require "$sourcedir/Admin.pl"; &RepairPasswords; } elsif ($action eq 'reminder2') { require "$sourcedir/LogInOut.pl"; &Reminder2; } elsif ($action eq 'reminder_answer') { require "$sourcedir/LogInOut.pl"; &Reminder_answer; } Sources/LogInOut.pl if($settings[0] ne "$FORM{'passwrd'}") { $username = "Guest"; &fatal_error("$txt{'39'}"); } $password = crypt("$FORM{'passwrd'}",$pwseed); if($settings[0] ne $password) { $username = "Guest"; &fatal_error("$txt{'39'}"); } $password = $member[0]; foreach (@member) { $_ =~ s~[\n\r]~~g; } $cryptanswer = crypt("$FORM{'secretanswer'}",$pwseed); &fatal_error("$pwtxt{'760'}") if($cryptanswer ne $member[21]); $yytitle="$mbname $txt{'669'}"; srand(); $newpasswrd = int( rand(100) ); $newpasswrd =~ tr/0123456789/ymifxupbck/; $_ = int( rand(77) ); $_ =~ tr/0123456789/q8dv7w4jm3/; $newpasswrd .= $_; $_ = int( rand(89) ); $_ =~ tr/0123456789/y6uivpkcxw/; $newpasswrd .= $_; $_ = int( rand(188) ); $_ =~ tr/0123456789/poiuytrewq/; $newpasswrd .= $_; $_ = int( rand(65) ); $_ =~ tr/0123456789/lkjhgfdaut/; $newpasswrd .= $_; $cryptpass = crypt($newpasswrd,$pwseed); fopen( FILE, ">$memberdir/$user.dat", 1); print FILE "$cryptpass\n"; for ($i=1;$i<=$#member;$i++) { print FILE "$member[$i]\n"; } fclose(FILE); $password = $newpasswrd;
$txt{'193'}

$txt{'34'}
sub Reminder2 { sub Reminder_answer { $user = $FORM{'user'}; fopen(FILE, "$memberdir/$user.dat") || &fatal_error("$txt{'40'}"); @member=; fclose(FILE); $yymain .= qq~

$mbname $txt{'36'} $txt{'194'}

$user, $pwtxt{'755'}:	$member[20]
$pwtxt{'757'}:

~; $yytitle = "$txt{'669'}"; &template; exit; }