Thread: Secret Word Hack
View Single Post
  #21  
Old 06-24-2002, 06:31 AM
Paul Paul is offline
 
Join Date: Jan 2002
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
A more "secure" and user-friendly approach to this hack would be the following:

1. Requiring predefined questions which become part of the authentication procedure (entering in a username and seeing a question isn't a good idea from a security standpoint).

2. Converting the answer to lowercase before processing the md5 hash. ("What is my favorite flavor of ice cream?" A: "Strawberry" is not the same as "strawberry")

3. Creating an md5 hash of the secret answer prevents the administrator from making a visual determination to see if "Main Street" and "Main St." are actually both the correct answer. If the user cannot remember their password, chances are they won't recall the exact spelling and punctuation used in their answer.

Any thoughts?

Paul

Edit: These comments apply to Justin's version of the hack.

I'm assuming the easiest way to do this would be a strtolower() around any processing of secret_a and creating another table with the various questions and an id number (reducing the overall size of the database) (i.e. "What is the name of the town you were born in?" = "2")

secret_q would then have a value of "2"

I'll try doing this myself tomorrow, but I have a limited knowledge of the workings of vb
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01274 seconds
  • Memory Usage 1,761KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete