Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Account Info?

x4135x4135
edited January 2012 in Vanilla 2.0 - 2.8

Hello there, I'm new to Vanilla and I was wondering.
Is it possible to find other people's account information? Like if some friend on my site is on there and he forgot it, is there a way to find it? Like in a file in the Vanilla folder.

Best Answers

  • 422422 MVP
    Answer ✓

    Forgot password , forgot username , forgot ?. Yeah its built in , but users pass is hidden even from admins.

    There was an error rendering this rich post.

  • x00x00 MVP
    Answer ✓

    Password are hashed (one way) not encrypted, which mean the only way to retrieve them is through a dictionary attack, in other words a guessable password. This is why passwords are reset. Few places encrypt password, where they are retrieved, becuase it technically more involved, and not better.

    Though md5 has been cracked in the lab, the sheer variety of values plus any salt make it impossible in practice. As it is once they have access to your database, knowing the pass is the least of you worries.

    What you are basically doing is making a unique association between username, pass (and an other meta), where the pass is encoded one way, and compared to a stored value of the same hash.

    If you have access the user meta. Knowing the old password is irrelevant, just get the user to reset the password or reset it for them. You should always do this with their existing contact information, or you could be being duped.

    grep is your friend.

Answers

  • 422422 MVP
    Answer ✓

    Forgot password , forgot username , forgot ?. Yeah its built in , but users pass is hidden even from admins.

    There was an error rendering this rich post.

  • x4135x4135

    I know that, but would just like to have type of admin power ;)
    Thanks though.

  • x00x00 MVP
    Answer ✓

    Password are hashed (one way) not encrypted, which mean the only way to retrieve them is through a dictionary attack, in other words a guessable password. This is why passwords are reset. Few places encrypt password, where they are retrieved, becuase it technically more involved, and not better.

    Though md5 has been cracked in the lab, the sheer variety of values plus any salt make it impossible in practice. As it is once they have access to your database, knowing the pass is the least of you worries.

    What you are basically doing is making a unique association between username, pass (and an other meta), where the pass is encoded one way, and compared to a stored value of the same hash.

    If you have access the user meta. Knowing the old password is irrelevant, just get the user to reset the password or reset it for them. You should always do this with their existing contact information, or you could be being duped.

    grep is your friend.

  • 422422 MVP

    x4135 said:
    I know that, but would just like to have type of admin power ;)
    Thanks though.

    Try and be more specific.

    Admin power ?

    Granting users access to your site affords them some user privacy, if you want to eaves drop on their info .. All but the pass is viewable via db.

    There was an error rendering this rich post.

  • x00x00 MVP
    edited January 2012

    Basically you should decline these sort of request from members as a general rule as is just a waste of time.

    Except in the case of data protection law. Which states:

    • You must remove any personal identifying information on request, where that information has not been made public (anywhere) through their own choice. Personal information is anything that could be used to identify them and is personally descriptive. Arguably there is very little user meta that fits that (useless it is a facebook wannabe site) but possibly some.
    • You must provide on request any personal information you have on them that they might not be aware of (unlikely to be applicable to a forum)

    You are already abiding by the law by allow them to change this information.

    There isn't anything that they shouldn't be able a access with a simple reset, so what the guy says is moot. People new to forum need to be 'shown the ropes' so to speak, and for some unrealistic exceptions to be explained away.

    Another popular one is asking to be banned or removed, or their content to be removed. This is not necessary, it is against most terms due to the disruptive nature, and the fact is public content. They are perfectly capable of changing user informations, and setting their email to something else. You are not responsible for their own behaviour, it is called willpower.

    People forget that on a forum they are choosing you as their publisher, and they have a choice of other publishers. Once they have a fair amount of privalages, they tend to assume they have right over you as a publisher. When actually the only freedom of speech that could be encroached (if mandatory) is yours as a publisher.

    Freedom of speech violation occurs when someone is prevented from having their views heard within a country, it is nothing to do with others not wanting to listen, or a publisher declining to publish their stuff. Despite this this comes up, time and time again on forums, usually when mudslinging.

    If push comes to shove the information is in the database. Now that I have wasted your time somewhat on a red herring, you should take heed, as an admin, you should not let people waste your time, with this sort of stuff.

    grep is your friend.

  • johansonlockerjohansonlocker

    Well,

    what about -

    setting the same password on the main site when user changes his password ?

    what about -

    restoring password when lost ?

Sign In or Register to comment.