Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 2.x > vBulletin 2.x Full Releases

Reply
 
Thread Tools
Secret Word Hack Details »»
Secret Word Hack
Version: 1.00, by Parker Clack Parker Clack is offline
Developer Last Online: Nov 2013 Show Printable Version Email this Page

Version: 2.2.x Rating:
Released: 06-17-2002 Last Update: Never Installs: 8
 
No support by the author.

When members sign up to the board they will often times change email addresses but then they don't update their profile to reflect this email change. They then lose their password and the script cannot send them one because the email address doesn't work anymore. This script allows your members to have the option of adding a secret word that will allow them to put in a new email address. They can then go ahead and have the script email them the password reset and they can get back onto the board without you having to look up their account. Now if they forget their password and their secret word well...

Make back ups of all the script and template files that you are about to make as there are several.

My thanks go to Chen (aka Firefly) for assistance with the coding needed to get this to work right.

Note: This file as been updated on 6.25.2001.

After working with this on several sign ups I have found that the section that I added to the user.php file will over write the secret code if you moderate your board or change any member information from the admin control panel. This updated file contains the changes to the user.php file and the rest of the file changes. If you have already installed this hack you only need to make the changes to the user.php as written. Nothing else has changed. If this is your first time installing it go with the layout as in the hack.

Parker

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #22  
Old 06-26-2002, 01:40 AM
JJR512's Avatar
JJR512 JJR512 is offline
 
Join Date: Oct 2001
Location: Glen Burnie, MD, USA
Posts: 710
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have updated my version, attached in Post #17 (above), to incorporate some suggestions from Parker Clack. The change basically checks to see if the person has a secret question/answer before it tries to take the person through the process of answering the secret question.

LoveShack, I'm not sure if I understood what you meant by your Point #1 above. Whether the system uses predefined questions or lets users make up their own questions, either way, the question is going to be visible to anyone who wants to see it. I think if the user can make up his own question/answer, he/she is more likely to use something that he/she can easily remember. Either way has advantages and disadvantages. I happen to like the way I did it, which is why I did it that way; you want it another way, and are going to code that for yourself, so now, like Parker said, we will have even more choices!

(BTW, the added complexity that you alluded to at the end of your post is part of the reason why I avoided going that way! )

I agree that making everything work as lower-case would be a good idea, and I'll work that in sometime tonight, and update my post again.

Regarding your Point #3, I understand what you're saying...I think that using unencrypted answers might be a better idea if you're using predefined questions, per your other suggestion. But for my version, allowing the user to make up his own question, I don't think many people would be too keen on the idea of putting in a question like, "What is my mother's maiden name?" if they know that I'll be able to see the answer. I could take that answer and use it to find out all kinds of things about that person and commit all kinds of fraud. Not that I would, of course, but what I'm saying is that some people will know that that kind of thing is possible. If you use a predefined question you could make a question that people wouldn't care if the board owner could see the answer or not. This is the same kind of debate, pretty much, that raged when vBulletin switched the password system to MD5, as well. There are some advantages to being able to see the passwords. But having them be encrypted was deemed to be more important, so I figured those reasons pretty much applied here, too.
Reply With Quote
  #23  
Old 06-26-2002, 01:52 AM
Paul Paul is offline
 
Join Date: Jan 2002
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi,

Quote:
Originally posted by JJR512
LoveShack, I'm not sure if I understood what you meant by your Point #1 above. Whether the system uses predefined questions or lets users make up their own questions, either way, the question is going to be visible to anyone who wants to see it.
Not necessarily. In the suggestion I made, one would have to choose the correct question and correct answer making both a part of the authentication procedure. For example, suppose a drop-down box was used with three questions. You would need to pick the correct question from the drop down box and supply the correct answer in order to be able to change the e-mail address.

Quote:
(BTW, the added complexity that you alluded to at the end of your post is part of the reason why I avoided going that way! )
Added complexity in this case is added security.

Quote:
I agree that making everything work as lower-case would be a good idea, and I'll work that in sometime tonight, and update my post again.
Pretty simple to do. Just use strtolower();

Quote:
Regarding your Point #3, I understand what you're saying...I think that using unencrypted answers might be a better idea if you're using predefined questions, per your other suggestion. But for my version, allowing the user to make up his own question, I don't think many people would be too keen on the idea of putting in a question like, "What is my mother's maiden name?" if they know that I'll be able to see the answer. I could take that answer and use it to find out all kinds of things about that person and commit all kinds of fraud. Not that I would, of course, but what I'm saying is that some people will know that that kind of thing is possible. If you use a predefined question you could make a question that people wouldn't care if the board owner could see the answer or not. This is the same kind of debate, pretty much, that raged when vBulletin switched the password system to MD5, as well. There are some advantages to being able to see the passwords. But having them be encrypted was deemed to be more important, so I figured those reasons pretty much applied here, too.
You clearly would not use a question such as "What's your mother's maiden name," simply because it's a question frequently used in banking. Rather, by using predefined questions you could narrow the possibility that you'd be intruding on privacy issues and get a more identifying piece of information. For example, "Who was your fourth grade social studies teacher?"

Encrypting the answers would mean that Mrs. Johnson != Mrs Johnson != Harriet Johnson != Miss Johnson, simply because you couldn't visually make a determination as to what the correct answer is supposing the person e-mailed you.

After evaluating this hack and taking all these situations into consideration, my development team decided that this was creating more of a problem than it was potentially solving. A good hack for those who want such a system though. Kudos for creating it.

Paul
Reply With Quote
  #24  
Old 06-26-2002, 02:33 AM
JJR512's Avatar
JJR512 JJR512 is offline
 
Join Date: Oct 2001
Location: Glen Burnie, MD, USA
Posts: 710
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The "added security" that would allegedly result from making the user select a question from a drop-down box, in addition to having to correctly answer that question, is, in my opinion, not truly any more secure of a system than just having a secret word, as the original form of this hack was, except that now the user has to remember two things, the question and the answer, as opposed to just one, and let's remember, the user is doing this in the first place because he couldn't remember something. The whole point of the question, at least the way I see it, is that it's there to help jog the memory of the user. The way my version works isn't really any different from the way Parker's original version works; the user has to remember one thing, whether it's called a "secret word" or "secret answer". The question serves no practical purpose as far as how this system works is concerned; its sole purpose is to help the user remember what his secret word (or "answer") is.

Quote:
Pretty simple to do. Just use strtolower();
Yes, it was. I knew how to do it; I just had to take the time to do it. I believe I replaced all occurances of md5($secret_a) with md5(strtolower($secret_a)). I will change the attachment in my earlier post with the newer version right after I submit this reply.

I understand what you're saying about having the answer encrypted. This debate as to the value of leaving it in plain text has already taken place, when the vB team switched the password system to use encryption. So believe me, I understand; I've seen it all before. My point of view is this. The user will be using this system because he couldn't remember his password. If he can't remember his password, why should I think he'll have better luck remembering a question that might be meaningless to him personally, and the answer to that as well? This is why I want the user to be able to make up his own question, because it will most likely be something that means something to him. And because the question means something to him, so will the answer, and it won't be something he's likely to forget. For the user to feel comfortable using such a personal question, he needs to feel secure that his answer is secure.

There is no way that this can create "more of a problem" than it is solving. Without this system, if a use forgot his password, he was going to be contacting you for help. This system gives the user a fall-back system to use in case he forgets his password, that potentially allows him to recover from the situation without needing to contact you. If he can't remember his secret answer and can't get in, he's going to contact you. It's not this system is going to make people contact you when they would otherwise have had no reason to do so.

So, like I said, we have choices. Anyone who likes my version can use mine; anyone who likes Parker's version can use his; anyone who likes whatever you might post can use yours; and anyone who wants something else that's slightly different from anything we've done so far can either make it themselves, or suggest it here and maybe one of us will incorporate that suggestion into a new version.
Reply With Quote
  #25  
Old 06-26-2002, 05:50 AM
Parker Clack Parker Clack is offline
 
Join Date: Oct 2001
Posts: 351
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have made changes to the admin/user.php file in both versions of the hack that I wrote. The only difference between the two files is that one encrypts the secret word and the other one doesn't.

If you have already installed the hack the only changes that were made were to the admin/user.php file. The rest of the hack is unchanged. This was necessary are the script as written was over writing the secret word if you used the admin control panel to change any of the member's information or after a member signed up.

If this is the first time you have installed this hack then just follow it as outlined in the hack.

Remember to make back ups of any of the files that you have changed.

I apologize for any inconvience that this might have caused.

Parker
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:59 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.10961 seconds
  • Memory Usage 2,253KB
  • Queries Executed 21 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (5)post_thanks_box
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit_info
  • (4)postbit
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete