Version 1.4 on the way...

[Neil Darlow]

Well that is how the dev's did it in Profile.php, whether it is correct or not... I am not sure.

I have YaBB SE-1.3.0 plus the bug fix package. Looking at Profile.php the password crypt manipulations are done on variable $queryPasswdPart which is modified by escaping from the string and concatenating the crypt function result using the . operator back into string mode.

What you showed earlier is not like this at all.

[Chris Cromer]

If you read $queryPasswdPart you will see that it is equal to what I wrote in the query.

[Chris Cromer]

Well, I have fixed it. I am going to post the code and then we should now have 1.4

[Chris Cromer]

Replace this in Profile.php:

Code Select Expand

   $yytitle="$txt[245]";
   template_header();
      $euser=urlencode($member['user']);
      sendmail($member['email'],"$txt[700] $mbname", "$txt[733] $member[passwrd1] $txt[734] $member[user].\n\n$txt[701] $scripturl?action=profile;user=$euser\n\n$txt[130]");
      print <<<EOT
with:

Code Select Expand

   $yytitle="$txt[245]";
   template_header();
      $euser=urlencode($member['user']);
      $pswd = $member['passwrd1'];
      $queryPasswdPart="passwd='".crypt($pswd, substr($pswd,0,2))."'";
      $request = mysql_query("UPDATE {$db_prefix}members SET $queryPasswdPart WHERE memberName='$user'");
      sendmail($member['email'],"$txt[700] $mbname", "$txt[733] $pswd $txt[734] $member[user].\n\n$txt[701] $scripturl?action=profile;user=$euser\n\n$txt[130]");
      print <<<EOT
and also replace this:

Code Select Expand

   mt_srand(34028934023); //pseudo-random seed
   if( $member['passwrd1'] == '' && $emailnewpass && strtolower($member['email']) != strtolower($settings[2]) && $settings[7] != 'Administrator') {
      $member['passwrd1'] = crypt(mt_rand(-100000,100000));
      $newpassemail = 1;
   } else {
with:

Code Select Expand

     mt_srand(time());
      if( $member['passwrd1'] == '' && $emailnewpass && strtolower($member['email']) != strtolower($settings[2]) && $settings[7] != 'Administrator') {
            $member['passwrd1'] = crypt(mt_rand(-100000,100000));
            $member['passwrd1'] = preg_replace("/\W/","",$member['passwrd1']);
            $member['passwrd1'] = substr($member['passwrd1'],0,10);
            $newpassemail = 1;
   } else {
Then it will work normally.

[Neil Darlow]

Code Select Expand

     $pswd = $member['passwrd1'];
      $request = mysql_query("UPDATE {$db_prefix}members SET passwd='crypt($pswd,substr($pswd,0,2))' WHERE memberName='$user'");
      sendmail($member['email'],"$txt[700] $mbname", "$txt[733] $pswd $txt[734] $member[user].\n\n$txt[701] $scripturl?action=profile;user=$euser\n\n$txt[130]");

Contrast your code, above, with this:

Code Select Expand

     $request = mysql_query("UPDATE {$db_prefix}members SET passwd='" . crypt($pswd,substr($pswd,0,2)) . "' WHERE memberName='$user'");
Notice the escape from string mode to execute crypt followed by entry back into string mode. I have added spaces around the . operators for clarity.

[Neil Darlow]

Replace this in Profile.php:

Code Select Expand

     mt_srand(time());
      if( $member['passwrd1'] == '' && $emailnewpass && strtolower($member['email']) != strtolower($settings[2]) && $settings[7] != 'Administrator') {
            $member['passwrd1'] = crypt(mt_rand(-100000,100000));
            $member['passwrd1'] = preg_replace("/\W/","",$member['passwrd1']);
            $member['passwrd1'] = substr($member['passwrd1'],0,10);
            $newpassemail = 1;
   } else {

Not sure about that substr call. crypted passwords are two (2) salt plus eleven (11) characters. Why are you extracting the first ten?

[Chris Cromer]

That makes the password 10 characters long instead of the super huge password you would normally receive.

There was 3 bugs not just 1. The first was the password would contain special characters that it wasn't supposed to, the 2nd was it was too long, and the 3rd was it not saveing the password to the database after you change your password and you have e-mail password on e-mail change set.

You can see more about these other bugs here.

[Jeff Lewis]

Neil, that is how we are creating password in Register.php

[Neil Darlow]

Neil, that is how we are creating password in Register.php

As long as you are aware that giving the user the salt and 8 characters of the password potentially weakens the password over that provided by crypt itself.

The other effects noted by Chris Comer are the expected outcome of MD5 and Blowfish encryption. These are documented in the PHP crypt function description (although I would add that FreeBSD natively generates a salt beginning with $2a$ for Blowfish encryption).

Passing a two character salt from the DES crypt character set (0-9A-Za-z./) should enforce the DES mode of encryption, if it's available on the platform, giving the expected 2 salt + 11 character encoding.

[David]

The thing is that YaBBSE passwords do not need to be strong enough for the CIA.  If you are really worried about somebody trying to use brute force to get into your account, you worry too much.  Also, so far there has not been a single known hacked board because of something YaBBSE did.

[Jeff Lewis]

Also, so far there has not been a single known hacked board because of something YaBBSE did.

Lets not encourage someone

[Neil Darlow]

The thing is that YaBBSE passwords do not need to be strong enough for the CIA.  If you are really worried about somebody trying to use brute force to get into your account, you worry too much.  Also, so far there has not been a single known hacked board because of something YaBBSE did.

Giving the user the salt is unnecessary as it's available in the database for use by the verification logic.

If you give the user all 11 characters of the password you retain password strength at the expense of sending 11 characters instead of 10.

Why give the user redundant information and weaken the password strength for the sake of a single character? And, IMHO, no password mechanism is too secure.

[TheJkWhoSaysNi]

will the   smiley be fixed in 1.4?

[Chris Cromer]

I already asked that... Jeff said he wouldn't touch the smiley.

[TheJkWhoSaysNi]

Aww, well if you're not going to make it work, remove it from the add smilies list...