| Author |
Message |
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom
|
 Posted:
Sat Oct 13, 2007 2:14 am |
|
I see the latest version of Joomla (1.0.13) includes improved password storage using a random salt. |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sat Oct 13, 2007 4:46 am |
|
It's too late to try to push anything like this for v2.0. We can add a Mantis issue for future consideration. Dictionary attacks and the other methods that are used w/o a super computer are easily foiled by using a smart password. Anything over 6 long that is not a common word is very safe. |
| |
|
|
|
|
utssace
Worker
Joined: Feb 18, 2006
Posts: 155
Location: Virginia
|
| Posted:
Sat Oct 13, 2007 8:07 am |
|
| PHrEEkie wrote: | If you read up on some topics over at Waraxe, you'll see that all Nuke passwords are straight md5 hashes, and that they (the hacking community) have a few different software solutions for cracking md5 hashes. Using injection to add an entry to the authors tables is just one way to gain access. The other is to hijack an admin cookie (which contains the information about the hashed password), then use their brute force software to crack the hash. Then they simply login with your username and pass.
If you educate yourself on the available server-side security options, you can create additional layers that a hacker would need to get through, even if he had a nuke admin login/pass. There is no such thing as 100% authorization until we can do a fingerprint or retina scan over the internet  Therefore, all you can do is make it an extreme hassle and waste of time for a hacker to get in.
Understand this... a VAST majority of all Nuke sites just contain content. Most hackers only want to tag your site with their banner or whatever. The TRUE motivated hacker seeks personal information like credit card numbers or what have you... these hackers will spend the time to try and breach additional layers, because there is a real potential monetary goal involved. Hackers who just want to hang graffiti on your site will NOT spend the days or weeks getting through extra layers, and will move on to an easier site. So, the moral to the story is, the use of an extra layer or two tends to discourage about 99% of any attacks, and that's a good number to have in your corner.
PHrEEk |
You talk about "server-side security options". Since I like most people
use hosting and have to rely on the host to be sure the server is secuire,
What can I read on "site-side" security measures. I have read some about
using HTACCESS to further password directories. Is it effective enough
to just HTACCESS the root of the site or does NukeSentinel take care of
that?. My site is in a subfolder, so my root is still exposed. And what are
some other options than htaccess? |
| |
|
|
|
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
| Posted:
Sat Oct 13, 2007 2:59 pm |
|
Well, if your site is in a subfolder, then .htaccess'in your root will in effect also cause a login popup for the subfolder. I'm guessing that wouldn't work too well for you. htaccess doesn't only protect folders and subfolders, it also can protect individual files. If you try to load Nuke Admin and get a popup asking for authorization, you are good, and have that extra layer already established. If it doesn't, then you can use .htaccess file limiting to accomplish that. At a minimum, here's what should happen:
1. You load Nuke admin.
2. You are prompted for a login/password from a popup (server-side).
3. You login
4. You are presented with the Nuke Admin login page (and captcha if enabled).
5. You login
6. You are presented with the Nuke Admin area.
All login names and passwords should be DIFFERENT and passwords should be ROBUST as well! Example passwords:
Bad:
helloimadmin
78goadmin
spiders9letmein
Good:
&gH77_@!!zZz
teLLus-592&_fG
Robust passwords,
A: Do not contain logical dictionary words
B: Alternate upper and lower-case alpha characters
C: Mix in numeric as well as special characters
I avoid using # or * in passwords, as some severs I've run into don't like these characters (it's rare, but exists).
IMPORTANT - Your web control panel and MySQL user should follow the SAME rules above, and again be different than your Nuke logins. Many people use their web panel login as their MySQL user/pass, and so a few years back a hack existed which allowed a config.php to be viewed as a text file, which revealed the MySQL user/pass. If that was the same as your web control panel, the hacker now had access to your entire domain! Keep all logins and passwords separate.
PHrEEk |
_________________
PHP - Breaking your legacy scripts one build at a time. |
|
|
|
|
utssace
|
| Posted:
Sun Oct 14, 2007 7:18 am |
|
You taught me some good stuff here PHrEEkie.
I didn't know that special characters can be used in passwords. Never tried
it. I guess I thought that if usernames in Nuke Admin doesn't allow them
then passwords too. Is there a maximum number of character for a
password?
As for the site control panel, my host set up my passwords according to
what I wanted, but my panel password and phpMyadmin user and pass
are the same. I wish I could change my own passwords in my control
panel for the main account. I will ask my host about this. This was the
reason for my problem, my passwords were to old and very weak. |
| |
|
|
|
|
Raven
|
| Posted:
Sun Oct 14, 2007 10:01 am |
|
Every host I know of allows users to change their own passwords. Are you sure you don't have a way in your control panel? |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
