Results 1 to 9 of 9

Thread: password reset request (and fix)

  1. #1
    Registered+
    Join Date
    Jun 2017
    Posts
    2
    Thanks
    0
    Thanked
    0 times in 0 posts

    password reset request (and fix)

    your password reset form has not been working for quite some time (the capture thing keeps on saying its incorrect when its not, works fine making a new account but not when you want to change password, tryed firefox and chrome) can you please send the password reset for leexgx user

    link i am using is forums.hexus net/login.php?do=lostpw (i am assuming its not going to let me post the full link so removed the dot)

  2. #2
    HEXUS.timelord. Zak33's Avatar
    Join Date
    Jul 2003
    Location
    I'm a Jessie
    Posts
    35,185
    Thanks
    3,126
    Thanked
    3,179 times in 1,926 posts
    • Zak33's system
      • Storage:
      • Kingston HyperX SSD, Hitachi 1Tb
      • Graphics card(s):
      • Nvidia 1050
      • PSU:
      • Coolermaster 800w
      • Case:
      • Silverstone Fortress FT01
      • Operating System:
      • Win10
      • Internet:
      • Zen FTC uber speedy

    Re: password reset request (and fix)

    Hi there

    I assume you've had to create a new account to post in here. I will look now

    Quote Originally Posted by Advice Trinity by Knoxville
    "The second you aren't paying attention to the tool you're using, it will take your fingers from you. It does not know sympathy." |
    "If you don't gaffer it, it will gaffer you" | "Belt and braces"

  3. #3
    Member
    Join Date
    Jun 2017
    Posts
    1
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: password reset request (and fix)

    I will try to replicate the issue by locking myself out of the forum and resetting the password

  4. #4
    HEXUS.timelord. Zak33's Avatar
    Join Date
    Jul 2003
    Location
    I'm a Jessie
    Posts
    35,185
    Thanks
    3,126
    Thanked
    3,179 times in 1,926 posts
    • Zak33's system
      • Storage:
      • Kingston HyperX SSD, Hitachi 1Tb
      • Graphics card(s):
      • Nvidia 1050
      • PSU:
      • Coolermaster 800w
      • Case:
      • Silverstone Fortress FT01
      • Operating System:
      • Win10
      • Internet:
      • Zen FTC uber speedy

    Re: password reset request (and fix)

    the Captcha screen worked for me immediately, so I'm a bit stuck helping

    I assume you used a diff email address for this new account and the original?

    Quote Originally Posted by Advice Trinity by Knoxville
    "The second you aren't paying attention to the tool you're using, it will take your fingers from you. It does not know sympathy." |
    "If you don't gaffer it, it will gaffer you" | "Belt and braces"

  5. #5
    Registered+
    Join Date
    Mar 2007
    Location
    west
    Posts
    58
    Thanks
    0
    Thanked
    3 times in 3 posts
    • leexgx's system
      • Motherboard:
      • Rampage extream II
      • CPU:
      • i7-920 @ 4Ghz
      • Memory:
      • 6GB OCZ gold 1600
      • Storage:
      • M225 250GB, 1TB segate
      • Graphics card(s):
      • GTX480
      • PSU:
      • Thermaltake 1000W
      • Case:
      • antec 900
      • Operating System:
      • Win7 64
      • Internet:
      • real super fast VM 51MB (not fake 24mb superfast thats infact 1mb)

    Re: password reset request (and fix)

    yes its me (manged to get past the image verification Error , i am typing it in correctly, could you upgrade to newer Captcha that uses the newer layout with images you have to pick)

    emm its still broke but but less broke now or it seems so (it when it successfully gets past the Captcha it says "Failed to to redirect to http://www.google.com" but sends the reset token email any way) i dont think it likes *@yahoo.com addresses as i have now changed it to gmail.com and it got the message saying we are sending you the reset link (just a white page with a box with that message)

    but the error "The string you entered for the image verification did not match what was displayed." is still happening to me when i try a second time (actually all of them are now failing) it seems after the first one fails or works all of them fail afterwards even if the Captcha is correct (as i was unsure what my email was first time round)

    still don't recommended the way password reset works, when i get the second email it sends username and password in clear text which is not really recommended it should send a reset password token so you can change the password (i am assuming the passwords are not stored in clear text)
    Last edited by leexgx; 26-06-2017 at 04:19 PM.

  6. #6
    Admin (Ret'd)
    Join Date
    Jul 2003
    Posts
    18,481
    Thanks
    1,016
    Thanked
    3,208 times in 2,281 posts

    Re: password reset request (and fix)

    Passwords are not stored at all at our end. Once a password change has been effected, a hash value (MD5, IIRC) is stored. When you do anything requiring password, the hash is generated at your end from the password and only the hash value sent and compared at this end to the stored hash, which is, of course, a one-way transformation. That is, generating the hash from the password is trivial, but reversing it and extracting the password from the hash is, as far as I'm aware, mathematically impossible.

    As for sending it in clear text, the idea is that you enter it, thus generating and sending the hash, and then you login and immediately use the 'change password' option to reset from the mailed password. It is also on a timeout clock giving a limited window to do it.

    I did a similar check to Zak on Captcha and it worked perfectly for me too. Did you try more than one browser, just in case some plug-in, etc, was affecting it? I keep a plain, vanilla browser installed just for such uses.

  7. #7
    HEXUS.timelord. Zak33's Avatar
    Join Date
    Jul 2003
    Location
    I'm a Jessie
    Posts
    35,185
    Thanks
    3,126
    Thanked
    3,179 times in 1,926 posts
    • Zak33's system
      • Storage:
      • Kingston HyperX SSD, Hitachi 1Tb
      • Graphics card(s):
      • Nvidia 1050
      • PSU:
      • Coolermaster 800w
      • Case:
      • Silverstone Fortress FT01
      • Operating System:
      • Win10
      • Internet:
      • Zen FTC uber speedy

    Re: password reset request (and fix)

    hello

    I cant reset it for you, but I've compared the two accounts.

    Bound to have diff IP addresses but diff years of birth (classic 1 Jan jobs..doh) too and diff email addresses I cant spend too much time adminning this.
    I don't doubt it's you bud, but we are where we are on security.

    So.... to solve it... stick with this new account. You've lost 49 posts on the old account, and nothing more. I've activate PM for you.

    Quote Originally Posted by Advice Trinity by Knoxville
    "The second you aren't paying attention to the tool you're using, it will take your fingers from you. It does not know sympathy." |
    "If you don't gaffer it, it will gaffer you" | "Belt and braces"

  8. #8
    Registered+
    Join Date
    Mar 2007
    Location
    west
    Posts
    58
    Thanks
    0
    Thanked
    3 times in 3 posts
    • leexgx's system
      • Motherboard:
      • Rampage extream II
      • CPU:
      • i7-920 @ 4Ghz
      • Memory:
      • 6GB OCZ gold 1600
      • Storage:
      • M225 250GB, 1TB segate
      • Graphics card(s):
      • GTX480
      • PSU:
      • Thermaltake 1000W
      • Case:
      • antec 900
      • Operating System:
      • Win7 64
      • Internet:
      • real super fast VM 51MB (not fake 24mb superfast thats infact 1mb)

    Re: password reset request (and fix)

    MD5 quite easy to get mass passwords from it in a reasonable time, i don't use the same password on any site and are max length 49-50 here so even with MD5 they have fun with mine but it is brute forceable even at 49-50 with MD5

    this one is working fine(like my 2007 join date) as i managed to get it to send the reset token, just it was saying it failed to redirect me to google.com (did try on firefox and chrome seems to do the same thing) once i changed it to gmail.com from yahoo it was saying it was sending me the reset token (and it did) but it was failing for me again afterwards but i am logged in now so not really a issue

  9. #9
    Admin (Ret'd)
    Join Date
    Jul 2003
    Posts
    18,481
    Thanks
    1,016
    Thanked
    3,208 times in 2,281 posts

    Re: password reset request (and fix)

    Whether it's easy to get mass passwords in reasonable time depends on how it's implemented. For instance, if and how it's salted, whether it's slow-salted (and how), whether salts are externally randomised, and of course, what other tripwires a brute force attavk might trip.

    It's worth pointing out at this point that I'm merely a forum admin on this site and have absolutely no knowledge of how security and/or passwords are implemented here. I have done it on other sites, but not in recent years.

    So while a discussion of various ways to implement, attack or defend against attacks of MD5 hashing might be interesting, it'll be academic as I have no involvement in how it's done here.

    I would just point out that there's a large difference between using MD5, and using MD5 on it's own and if I had any knowledge of how it's done here, I'm sure you wouldn't expect me to discuss it publicly (or privately, with people not authorised to know).

    But I would argue that, short of having no externally accessible links, nothing is hack-proof. It's a fame if leap-frog, whether hackers and security people constantly trying to get in front of the other. Whatever security is in place, odds are sooner or later a way will be found through, or around, it. The issue can often come down to how much time, effort and of course, money, person A is prepared to spend trying to crack site B. And that can come down to motivation, which could be money, or pure malicious intent, or what I'd call a 'pure' hacker motivation, the so-called "Everest" motivation, i.e. because it's there, the sheer challenge.

    For that reason, determining what security to implement also rather depends on what you're protecting, because it too costs time, effort and indeed, money, to do. So if I'm protecting a bank or the Pentagon, U'm going to be inclined to spend more than I am for a website containing last year's holisay snaps. If any hacker wants to disrupt my holiday photo site, have at it.

    And once again, just for emphasis and clarity, I have NO INVOLVEMENT in site or system security at HEXUS.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •