Way back in 2009 phpbb.com was hacked via an exposure in the phplist mailing list software. (Just to be very clear, there was no exploit found in the phpBB code used to run the site, only this supplementary program used to run the email notification system.) One of the results of the hack of phpbb.com was that several thousand user passwords were exposed and posted on the Internet. They were exposed, frankly, because they were too simple, and that’s not phpBB’s fault.

Pet Names Don’t Make Good Passwords

People often struggle with remembering passwords. Yes, there are programs that can help you with that, but are they really that much more secure than writing things down on a piece of paper? Here’s one take from one of my favorite web comic authors:

The bottom line is that a password is supposed to protect an account from unauthorized access. It’s not supposed to prevent authorized access, but for infrequently used resources it can do that as well.

Password Storage

One indicator of concern to me is whether a web site can send you your existing password when you forget it. That means they’re likely using an encryption process rather than a hashing algorithm to store passwords. And that means anyone with access to the decryption key can read every password in the system. phpBB2 uses a hashing algorithm which means as a board owner / administrator I can safely say to any of my users that I cannot tell them what their password is. I can assign them a new one, and of course there is a self-service option available to phpBB2 users that will do just that, but I cannot tell them what their existing password is. In a default phpBB2 installation a user password is hashed and stored as a 32 character string. Similar passwords will generate very dissimilar hash strings, so there is no way for someone to easily guess what a password might be simply based on the results of the hash. For example, here are a few similar input values and the resulting MD5 hash outputs:

test     098f6bcd4621d373cade4e832627b4f6
Test     0cbc6611f5540bd0809a388dc95a615b
tset     751ec45015a704a39dc403001c963e97
test1    5a105e8b9d40e1329780d62ea2265d8a

Despite the similarity of the input values they all have very different hash values. That means that similar hash values are going to have very different input values as well. Also, because a hash is generated by a one-way function there is no way to recreate the input value based on the hash. (There are some cases where two different input values could generate the same output hash; that’s allowed.)

If that’s the case, then how can I tell if a user has entered the correct password when they log in? It’s actually really simple. When a user logs in, phpBB takes the password provided on the form, hashes it, and then compares the resulting hash value to the hash stored in the database. As long as the input values are the same (entering “test” as my password will always generate 098f6bcd4621d373cade4e832627b4f6 as the hash value) then the password matches and the user is logged in.

How, then, were hackers able to decipher the passwords stored in the phpBB.com database if there is no way to reverse a hash process? They didn’t. Instead they used a lookup table (also called a rainbow table) to match up known hash values with their source value. Imagine taking a dictionary and running every word in it through the hashing process. When you’re done, you have a list of hashes and their source. By matching password hash values against the list of known entries the hackers were able to figure out what a number of phpBB.com user passwords were.

To help defeat this sort of process, phpBB3 now uses a salted hash which provides even more security. I imagine someone has back-ported this to phpBB2 as a MOD but I have not had time to look for one yet. But the fact is if a secure password is used (a combination of words and numbers, or as the cartoon above suggests several words run together) the odds of the password appearing in a rainbow table are extremely slim, and even the simple hashing algorithm used in phpBB2 is essentially safe. Even changing the case of one letter helps, as shown in these two hash examples from earlier:

test     098f6bcd4621d373cade4e832627b4f6
Test     0cbc6611f5540bd0809a388dc95a615b

Changing the “t” to a “T” changes the hash. It might be even better to change something other than the first letter, for example changing the “e” to an “E” as in tEst. That’s a very easy word to remember and it’s not likely to show up on any rainbow table, unless a hacker wants to run every possible combination of upper and lower case letters for every possible dictionary word. Ultimately it would be better to use a combination of letters (mixed case), numbers, and even symbols where allowed.

So how important is it that phpBB3 uses a salted algorithm for passwords? If people were smart about what passwords they use then it really would not matter so much. But as shown in some of the related links at the end of this post, people are not very smart about the passwords they pick. In that case, the salting process is quite beneficial.

Social Engineering

Which brings me to my final issue for this post: people can be fond of certain passwords and often use (reuse) them on more than one site. If you use the same password for a phpBB board that you use for your banking system, then change it. Change it now. For one thing, most phpBB board owners do not use a secure protocol (such as HTTPS rather than HTTP) for their sites. That means the password is exposed during the transmission of the form data. Ultimately no matter how a password is stored or how complex the password might be, if people can be tricked into giving up their passwords by phishing emails, web site plugins, and other techniques, that’s a problem. If a hacker manages to grab the password for one site, they may then be able to use it on other sites. I have made a practice of using a unique password on every service I sign up for in order to prevent this for a very long time. But once again, xkcd.com says it better:

Related Links

• phpBB Password Analysis
• 500 Worst Passwords