HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


ocPortal 8 upgrading - security

Login / Search

 [ Join | More ]
 
Posted
Item has a rating of 5 (Liked by Guest)  
Rating:
#82050 (In Topic #17090)
Avatar

Hi,

This is pre-emptive advice for when ocPortal 8 is released.

With version 8 we're tightening up security around the ocPortal master password. In recent years improved CPU/GPU performance, and general advances in security research, has meant a hacking technique called "rainbow tables" has become an increased risk.

Rainbow tables allow you to reverse a hashed password back to a working password, and hence get access to a site. However, you need the hashed password, which of course ocPortal does not provide.

So the security risk is that if someone found some vulnerability that allowed them to read your configuration file, they might then be able to get a working master password by using rainbow tables. It's a theoretical risk, but it is best to have multiple levels of security defence.

To mitigate this we are deploying a standard security technique called 'salting' to the master password. To take advantage of this, after upgrading just load up the config_editor.php script, and change your password. The updated password will be salted, meaning general purpose rainbow tables could not be used on your password hash.

An additional risk is a hacker might try and use brute against ocPortal's scripts, to guess at the master password repeatedly. As these scripts are designed to be minimally simple they don't provide any protection themselves against this kind of attack. One would hope that the web host would have some kind of firewall that would detect and block floods of requests, or that the chosen master password would be complex enough to protect against brute force attacks (i.e. long, consisting of combinations of letters, and numbers, not too similar to any dictionary words). But that will not always be the case.

So, for extra security we are going to recommend that people who think they may be a target for hackers actually remove the master password from their info.php files completely. This prevents any kind of login to the support scripts (the upgrader, config editor, and so on). ocPortal 8 will support this and simply say if there is no password to login with. You can then put it back for the short periods of time where you need master access (e.g. to upgrade).
So, when ocPortal 8 comes out, you may wish to actually manually edit the info.php file and cut out the…

Code

$SITE_INFO['admin_password']='...';
line. Store it somewhere safe away from the server, and paste it back in only when required.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#82056
Avatar

Community saint

boomarked

Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
Posted
Rating:
#82071
Avatar

Community saint

Good to know information, thank you Chris. :)

Metal IS Forever & We WILL Rock You 'til You Choke! Rock Babe
Back to the top
 
Posted
Rating:
#84627
Avatar

Community saint

Can I make a feature request for future versions that the hash algorythm be configurable to something chosen by the site admin. Rainbow tables are pretty thorough for md5 and a couple others but there are algorythms out there that are better and have less rainbow tables produced to attack with. Of course I can add this to my site manually myself but I am thinking for the general public as an option in future releases it would be an extra layer of defense especially if it is carried into users passwords and stuff. This way hackers could never be sure of the algorythm a particular ocPortal site is using. Well unless of course they somehow compromised where that configuration directive is stored but as you said each extra layer makes it more annoying for them and it's kinda like the burglar looking for homes to rob and he's going to move down the street to the dark unalarmed house than yours if you've well lit your property and added security and a dog!
Back to the top
 
Posted
Rating:
#84628
Avatar

Rainbow tables can't attack salted passwords, which is what ocPortal is using. However there is something on the tracker about something similar to what you suggest, as doing md5 space searching is also possible, albeit slow. It's quite a theoretical risk – the hacker first needs to hack into the database/disk to get the passwords, then probably put a whole botnet trying to crack the hashes. But it is something ideally to protect against.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#84661
Avatar

Community saint

Back When I was using Nuke for a site I had users that had Admin privilage used the same password on my site as the used on another community site. Admins from that site used their passwords to gain access to my admin section. Once I discovered this I rewrote Nukes Login section to be able to use different hashing methods along with salts as well as a custom scrambling routine and then also wrote a module for me to manage passwords which allowed me to reset peoples passwords (and set temporary ones) via groups, admins or individual users any time I felt like it. I also added the ability to add disallowed passwords along with anytime I changed a users password I stored the old one (encrypted along with the method of encryption) and they were not allowed to use that password again. (only that person though, someone else could use it if they liked). This worked great because that is the biggest weak point in password security is the end users and making sure that both their password was stronger and making sure they couldn't just keep using common passwords they've used on other sites helps.
Back to the top
 
Posted
Rating:
#84937

Non-joined user

Chris Graham said

Hi,

With version 8 we're tightening up security around the ocPortal master password. In recent years improved CPU/GPU performance, and general advances in security research, has meant a hacking technique called "rainbow tables" has become an increased risk.

So if I made the mistake of deleting the SITE_INFO['admin_password'] line entirely and not saving it, is there any way of re-creating the password so that I can make use of the upgrade utility?

Thanks
Back to the top
 
Posted
Rating:
#84941
Avatar

Just put back a line with your choice of password in there, and it'll let you log in with it. Then use config_editor.php to change the password, which will encrypt it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: