Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 23 Jan 2015, 13:45
Skyrider Skyrider is offline
 
Join Date: Feb 2006
Account Password Vulnerability - enhancing it more?

Account Password Vulnerability option in vB resets the passwords of those who has found to be vulnerable. It emails you a new password, yay! But is there anyway the password that is going to be send out is more enhanced? More characters, lower/bigger cases and symbols?

The passwords that were send and given by vbulletin though this feature is not that long, and i prefer it to be stronger by default.
Reply With Quote
  #2  
Old 23 Jan 2015, 13:59
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Real name: Mark Daniel Martinez
I'm not sure about how to configure that without major(?) code changes, but the new password should only be used temporarily, and immediately changed by the user. Even it it sends them a more complicated one. In fact, the email should probably tell them this, if it doesn't already.
__________________
Reply With Quote
  #3  
Old 23 Jan 2015, 14:00
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Real name: Len Kaiser
Maybe try this: http://www.vbulletin.org/forum/showt...light=password

If that is not what you are looking for then just do a search. Go to the search box at the top of the forum and use the word password as your search term then choose "All Mods" in the first drop down and then choose "Titles only" in the second one. That will give you several results to compare.
Reply With Quote
  #4  
Old 23 Jan 2015, 14:01
Skyrider Skyrider is offline
 
Join Date: Feb 2006
I saw that, but I'm looking for a way to give everyone a new password (mass force), but I prefer it having a hard password right away also for the inactive users.
Reply With Quote
  #5  
Old 23 Jan 2015, 14:09
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Real name: Len Kaiser
Hmmmm I see the built in feature will not work for that either. You would probably nee a special plugin/code for that.
Reply With Quote
  #6  
Old 23 Jan 2015, 15:22
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
You could edit file includes/functions.php and change the function fetch_random_password(), but that's also used by the mobile api so I don't know what affect that would have. It's also a kind of strange function that generates a string of random characters but seems to have been modified to insert one digit in a random place or something like that.

Or you could edit admincp/passwordcheck.php and where fetch_random_password() is called, substitute your own code. That's where the vulnerable password check happens, if the user requests a change that's done in login.php.
Reply With Quote
  #7  
Old 23 Jan 2015, 18:31
Skyrider Skyrider is offline
 
Join Date: Feb 2006
Thanks for the hint KH. I've altered the line:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and I've included some symbols. Seems to work just fine!

However, when I alter:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

And change the lenght of the password to 12, doesn't appear to work. It sticks with giving a password length of 8.

Last edited by Skyrider; 23 Jan 2015 at 18:40.
Reply With Quote
  #8  
Old 23 Jan 2015, 19:11
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
That's because in admincp/passwordcheck.php around line 148 it calls the function with the number 8, that has priority over those default values.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #9  
Old 23 Jan 2015, 20:13
Skyrider Skyrider is offline
 
Join Date: Feb 2006
Originally Posted by Dave View Post
That's because in admincp/passwordcheck.php around line 148 it calls the function with the number 8, that has priority over those default values.
Sweet, thanks! Now I receive awesome passwords now, the way I want it.

Last question though. When resetting a password through recovery (user recovery password), what controls the type of password there that will be send? I am unable to find password_characters under login.php, though I found fetch_random_password.
Reply With Quote
  #10  
Old 23 Jan 2015, 20:15
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
You should find a call to fetch_random_password(8) in login.php.
Reply With Quote
  #11  
Old 23 Jan 2015, 21:04
Skyrider Skyrider is offline
 
Join Date: Feb 2006
Originally Posted by kh99 View Post
You should find a call to fetch_random_password(8) in login.php.
That, I can. But I'm unable to find the letters being used.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

is not found in login.php, as such resetting passwords on the users end (normal recovery) isn't using the password characters through functions.php, I tried and it just gives a normal password with no new characters I added.
Reply With Quote
  #12  
Old 23 Jan 2015, 21:17
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Oh, well, you don't find the string of letters there because they should only occur once, in fetch_random_password(), which is called from both places. But if you're not seeing the new chars when you request a password change, then there must be something else going on. I'll take a look and post back if you haven't figured it out by then.
Reply With Quote
  #13  
Old 23 Jan 2015, 21:29
Skyrider Skyrider is offline
 
Join Date: Feb 2006
I just searched all *.PHP files.. "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz" and or $password_characters is only called in functions.php, so currently no idea where else to look.
Reply With Quote
  #14  
Old 23 Jan 2015, 21:35
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Oh, did you actually try requesting a password change? What I was trying to say is that the code in login.php should use the variable with the string of characters that you already changed, so it should change in both cases. If you want to increase the length then you should change login.php where it says fetch_random_password(8) (to something higher than 8).
Reply With Quote
  #15  
Old 23 Jan 2015, 21:35
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
You need to change the string in the fetch_random_password function because it's not a global variable.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 17:48.

Layout Options | Width: Wide Color: