Page 1 of 1
Passwords
Posted: 05 Oct 2014, 16:26
by tank
Recently due to an innocent code error the DB credentials were exposed. The DB password was changed as a result and is no longer vulnerable. But in adoption with a "better safe than sorry" I have set all passwords for all users to expire and require change. I am sorry for any inconvenience. The reality is it is unlikely that even if the user table was compromised that your actual password would get cracked. Passwords are stored hashed and salted. It would take a highly skilled cracker to derive real passwords.
Re: Passwords
Posted: 05 Oct 2014, 16:42
by jballi
I came here to bitch and moan but you took all the air out of my moan tires. Thanks for the update.
Re: Passwords
Posted: 05 Oct 2014, 16:54
by fincs
You can blame PHP/PDO and its incredibly stupid DB-credential-leaking error messages for this
Re: Passwords
Posted: 05 Oct 2014, 20:30
by amnesiac
Thanks for your work. Yes, it's a "better safe than sorry".
Re: Passwords
Posted: 05 Oct 2014, 22:28
by joedf
fincs wrote:You can blame PHP/PDO and its incredibly stupid DB-credential-leaking error messages for this
+1
Re: Passwords
Posted: 06 Oct 2014, 02:39
by Bruttosozialprodukt
It should also be mentioned that it was only revealed for like 5 minutes and I think it didn't even had the correct database name in it.
I also don't even think that you could connect to it without access to the servers php side.
Re: Passwords
Posted: 06 Oct 2014, 12:51
by 6Zptf
in adoption with a "better safe than sorry" I have set all passwords for all users to expire and require change.
I appreciate your caution.
Re: Passwords
Posted: 06 Oct 2014, 16:00
by dmg
OK. Thanks for letting us know. What does setting the passwords to expire mean for us users? What do we need to do, and when?
Re: Passwords
Posted: 06 Oct 2014, 18:25
by codybear
Thanks for the heads up. I just changed mine to be safe.
Re: Passwords
Posted: 06 Oct 2014, 18:30
by tank
Change your password incase someone managed to access the user table and found a way to guess your password
Re: Passwords
Posted: 09 Oct 2014, 12:55
by kidbit
oh god, this is so lame
Re: Passwords
Posted: 28 Oct 2014, 09:18
by Chunjee
tank wrote:I have set all passwords for all users to expire and require change.
Don't have a PM or any notification at all that my password needs changing. Are you sure you did this?
Re: Passwords
Posted: 28 Oct 2014, 10:26
by guest3456
Chunjee wrote:
Don't have a PM or any notification at all that my password needs changing. Are you sure you did this?
you are the 11th poster in this thread.
whats more likely:
1. the 10 previous posters are all talking nonsense, and the site admin didn't really do what he said he did
2. you are the anomaly
Re: Passwords
Posted: 28 Oct 2014, 11:24
by Chunjee
3. They are set to expire tomorrow
4. Someone erased my memory
5. I am better than all users and my password is just super salty
6. The forced password change expired or isn't working for everyone
Going with 5.
Re: Passwords
Posted: 28 Oct 2014, 12:50
by joedf
Re: Passwords
Posted: 04 Nov 2014, 09:36
by geek
I don't recall having to go through a password reset either
Re: Passwords
Posted: 04 Nov 2014, 10:25
by Blackholyman
Same! no reset for me yet
Re: Passwords
Posted: 09 Nov 2014, 12:12
by Sidola
Me neither.
Re: Passwords
Posted: 09 Nov 2014, 13:07
by Bruttosozialprodukt
I definitely had to reset my password the day all this happened.
