Security of Forums

This is an archive of the mabination.com forums which were active from 2010 to 2018. You can not register, post or otherwise interact with the site other than browsing the content for historical purposes. The content is provided as-is, from the moment of the last backup taken of the database in 2019. Image and video embeds are disabled on purpose and represented textually since most of those links are dead.

To view other archive projects go to https://archives.mabination.com

hengsheng120 wrote on 2010-05-21 19:00

On any modern disscussion boards, can the administrator or sysop view what your account password is?
I'm worried that on other boards admins can login with someone else's user account (w/o changing the password) and taking other advantages by knowing the original password.
emomutt wrote on 2010-05-21 19:06

you are paranoid...
Bakuryu wrote on 2010-05-21 19:15

No, passwords are hashed by MD5, and MD5 can not be "decrypted", and vbulletin hashes several times and salts the pass. So admins can't look at your password by looking at the database or whatever.
If vBulletin security was so poor, it wouldn't be the most used forum software out there
Osayidan wrote on 2010-05-21 19:22

Passwords are md5+salt, so we can't get them.
There's tools to log in to a user account while logged in as admin, without password changing, but I never understood the reason for them, the admins can just look at your profile on the admin panel to get everything they could ever need, and to modify anything that needs modifying.

There's more risk of someone packet sniffing on your LAN getting your password than an admin of a vbulletin forum, unless it's https.
Phunkie wrote on 2010-05-22 07:20

Why so paranoid anyway?
Cucurbita wrote on 2010-05-22 07:46

If the engine was custom made, maybe.
But on common commercial engines like vBulletin, no.
Common freeware ones like phpBB and such too.
Forsaken wrote on 2010-05-24 05:17

Quote from Osayidan;40895:
Passwords are md5+salt, so we can't get them.
There's tools to log in to a user account while logged in as admin, without password changing, but I never understood the reason for them, the admins can just look at your profile on the admin panel to get everything they could ever need, and to modify anything that needs modifying.

There's more risk of someone packet sniffing on your LAN getting your password than an admin of a vbulletin forum, unless it's https.

The "Log in as user" plugin by Valter was created so that administrators could check forums permissions and functions, though I have also used it for moderation (Investigation into member harassment).

As for MD5/Salt, vBulletin is secure by itself, but that doesn't mean theres no chance of a database leak (For any site). You should never use the same password on multiple sites.