BoardMod Support Forum - Password Security SP1.1/SP1.2/SP1.3

Dummy Proof

Hacker God

Offline

Posts: 991

07.06.03 at 09:50:36

Password Security SP1.1/SP1.2/SP1.3

Eliminate all plain ASCII storage of members' passwords.

Admin screen contains option to "Repair Passwords" which will automatically upgrade all existing plain passwords to encrypted versions, skipping the passwords which are already encrypted.

Adds "Secret Question / Answer" to Registration, Profile, and Forget Password sections. Forget password function has one more layer, after they enter their username they are presented with their secret question.
If they answer correctly, a new password will be emailed to them. All Passwords and Secret Question answers are stored encrypted, no more plain ascii passwords anywhere!

Original Mod by Matthew C. Veno

Version History:
Version 1.1 Update - Bug Fix
Fixed bug where when Admin modifies users' profile the users' password and secret answer were changed and unusable.

Version 1.1SP1.1 (by Chrishartmann)
Mod modified for use with YaBB 1 Gold - SP1.1

Version 1.2SP1.2 (by DummyProof)
Mod modified for use with YaBB 1 Gold - SP1.2
Corrected Reminder Answer screen that would not show if "No Guest Access" was used.

Version 1.3SP1.3 (by DummyProof)
Mod modified for use with YaBB 1 Gold - SP1.3

For detailed installation information please open yabbpass.html included in the zip file.

DummyProof

« Last Edit: 07.06.03 at 12:43:20 by Dummy Proof »

IP Logged

PasswordSecurity.zip (18 KB | 43 )

Ya can Idiot proof it...
Ya can Dummy proof it...
But ya can never...
...Blonde proof it!

Jake

Hacker God

Offline

Posts: 1265

Reply #1 - 07.06.03 at 10:45:20

Just wondering inthe mod instruction file saying that
Quote:

You're all set to go! Turn off maintenance mode to re-open your YaBB board.

You will want to instruct all your users to update their profile to enter a Secret Question and Answer so encase they ever forget their passwords.

My forum has more than 400 members how can i instruct all my users.

Actually i love this mod, i've once installed into my forum but almost all my users complained thatthey couldn't logg in. And finally i gave up and took this mod out.

In this case how can i do
@Dummy you usually give me the better solution and also this one what're you going to do in this case.
Thanks

IP Logged

Dummy Proof

Hacker God

Offline

Posts: 991

Reply #2 - 07.06.03 at 11:34:20

A "cheap and dirty" way would be to force them to make the entry valid or they don't get to go any further than their Modify Profile page.

In YaBB.pl find this Code:

&banning;            # Check for banned people

And add after it this Code:

if ($username ne 'Guest' && !$settings[21] && $action ne 'profile' && $action ne 'profile2' && $action ne 'logout'){ 
        $mandatorytext = qq~Please modify your profile so that the "Secret Question" and "Answer" entries are valid.~;
        &fatal_error($mandatorytext);
}

After logging in they will go to the Board Index as usual, but if they try to go anywhere other than the their profile page they will get an error telling them:
"Please modify your profile so that the "Secret Question" and "Answer" entries are valid."

As you may or may not know, new users would be unaffected by this, as they are required to provide that info upon registering.

Dummy

IP Logged

Ya can Idiot proof it...
Ya can Dummy proof it...
But ya can never...
...Blonde proof it!

gwyden Bloody Novice Offline Posts: 45	Reply #3 - 07.06.03 at 11:41:08 would this technically be v1? I like to keep track so if a mod is released in the future I know which is the most current =)
	IP Logged

Dummy Proof Hacker God Offline Posts: 991	Reply #4 - 07.06.03 at 11:48:03 Technically v1 was released by Matthew C. Veno. Subsequent bug fixes and update versions are listed above. Dummy
	IP Logged Ya can Idiot proof it... Ya can Dummy proof it... But ya can never... ...Blonde proof it!

wayland Fulltime Hacker Offline Posts: 135	Reply #5 - 07.06.03 at 16:52:16 Dummy, Is the javacrypt.js file included in the mod zip file the Password Encryption tool? Also, just to be clear, is there any difference between the final version and the 1.3BETA version I already have installed?
	IP Logged

Dummy Proof Hacker God Offline Posts: 991	Reply #6 - 07.06.03 at 19:33:55 No difference from the last SP1.3beta. The javacrypt.js is only for the yabbpass.html, not to be installed with the mod. Dummy
	IP Logged Ya can Idiot proof it... Ya can Dummy proof it... But ya can never... ...Blonde proof it!

Jake Hacker God Offline Posts: 1265	Reply #7 - 08.06.03 at 07:49:17 Quote: As you may or may not know, new users would be unaffected by this, as they are required to provide that info upon registering. Yes i know the over 400 members are the old members.
	IP Logged

wayland Fulltime Hacker Offline Posts: 135	Reply #8 - 08.06.03 at 21:00:16 Dummy, I've discovered a compatibility issue between Password Security and Automatic Flood Protection. Here's the link to thread discussing the issue. http://boardmod.yabbforum.com/yabb/YaBB.pl?board=modbugs;action=display;num=1054...
	IP Logged

gwyden Bloody Novice Offline Posts: 45	Reply #9 - 09.06.03 at 00:25:02 so the real question is does every mod have to be workable with every other mod or is it the responsibility of the person wanting the mod to fix? I know many mods come with combatability versions(which is kewl) but I would hope most people using the open source code would take advantage and get their hands dirty...
	IP Logged

Outlaw

Fulltime Hacker

Offline

Posts: 191

Reply #10 - 09.06.03 at 03:24:50

gwyden said:

Quote:

so the real question is does every mod have to be workable with every other mod or is it the responsibility of the person wanting the mod to fix? I know many mods come with combatability versions(which is kewl) but I would hope most people using the open source code would take advantage and get their hands dirty...

I reply...

BWAHAHAHAHA!

Forgive my laughter, but I asked almost the same question a little while back, and have close to 100 mods installed, and all had to done manually after about the first 10 or so.
MOST mods have to be individually tailored to work, trust me.

Thank the good Lord above for the great and selfless mod writers and users of this forum, because without them, most of us would have nothing but a basic YaBB, or another script.

I just found out that I may have to start over on my entire near 2 month to build script, due to a few minor problems that are just impossible (so i am told) to find and fix in my heavily modified script, so hang in there and learn all you can as you go Wink

Ask your questions, and these good folks will surely help you find the answers.

IP Logged

Dummy Proof

Hacker God

Offline

Posts: 991

Reply #11 - 09.06.03 at 09:17:38

wayland wrote on 08.06.03 at 21:00:16:

Dummy,
I've discovered a compatibility issue between Password Security and Automatic Flood Protection. Here's the link to thread discussing the issue.

http://boardmod.yabbforum.com/yabb/YaBB.pl?board=modbugs;action=display;num=1054...

Unless Ron makes his mod compatible with this one I see three options:
1) Use this mod and don't use reg flood mod.
2) Use reg flood mod and don't use this one.
3) Install this mod, then remove the steps in reg flood mod that change the LogInOut.pl file, then install that mod. This of course will be removing the flood protection from the password reminder function.

I kinda doubt the mod author will return just to make it compatible with that mod Roll Eyes

. The only reason I released this was because there were requests for SP1.2/SP1.3.x versions for those who had this mod installed upon those YaBB releases. There was also a step that needed to be added to the SP1.1 version of the mod.

Dummy

IP Logged

Ya can Idiot proof it...
Ya can Dummy proof it...
But ya can never...
...Blonde proof it!

wayland

Fulltime Hacker

Offline

Posts: 135

Reply #12 - 09.06.03 at 14:42:53

Dummy Proof wrote on 09.06.03 at 09:17:38:

I see three options:
1) Use this mod and don't use reg flood mod.
2) Use reg flood mod and don't use this one.
3) Install this mod, then remove the steps in reg flood mod that change the LogInOut.pl file, then install that mod.

Thanks Dummy,
I think it would be rather inconvenient to uninstall the Password Security mod at this point, as it is not possible to automatically decode the encrypted passwords in the process. Once encrypted, always enrypted. Correct?

IP Logged

DocRST Hacker God Offline Posts: 1846	Reply #13 - 09.06.03 at 14:45:52 Is it posible to ad a Password Policy, like must be at least ?? chars, Must have ??, ?? and ?? in the password. This may be a fix to hacks.
	IP Logged Doc Cowles Web Master YourWebSpace.com - Free YaBB hosting docrst@yahoo.com

Spikecity

Moderator

Offline

Posts: 2630

Reply #14 - 09.06.03 at 14:56:39

Dummy Proof wrote on 09.06.03 at 09:17:38:

Unless Ron makes his mod compatible with this one I see three options:

Hé, Dummy, don't know who wrote password protection for SP1.3.1, but why is it always me who has to be compatible with everyone else, I comply to YaBB standard code which is enough!
I did not invent an extra step into the registration sequence and merely add code to standard YaBB code.
So my suggestion is that the one now taking care of PW prot mod should bend a little and be compatible with flooding protection Grin

Ron

IP Logged

Nothing to add here