As I explained briefly earlier, the reason the hacker was able to retrieve some people's passwords was that they were encrypted using MD5 (because phpBB, the old forum software, also used it), which is susceptible to rainbow table attacks.

We're now using a much stronger encryption algorithm (SHA1 + a unique salt, looped multiple times).

I can now 99.9999999% guarantee that even if somebody were to get access to both the encrypted passwords and our unique salt, there is no way they could convert them into the unencrypted original values.

So, go change your password, esp. if you were on the list of people targeted earlier. After you change it you'll have to log in again.

The forum isn't safe yet, but I promise your passwords are.

It's really not that hard to make a secure website that 99.999% of people can't hack. The problem is that most of the code was written about 2 years after I started web development and I havent' had time to revisit it.

Unfinished code or possibly just some of the old code that I haven't gotten around to rewriting. I'm guessing he was able to upload a script through the attachment/gallery process. I'll make sure I patch uploads and use a better encryption algorithm first. Nothing wrong with having a custom forum, if it's not using code that was developed 6 years ago.

They're not plaintext. They're only encrypted using md5 which means he must've been able to use a rainbow table (this is also why only certain passwords were accessible). Now - how he got the md5 values in the first place I'm not really sure. The problem with changing the encryption algorithm is everybody will have to reset their passwords... which I guess is probably worth it now

Sorry guys.

Various usernames and passwords...

capristo: *****
slob: *****
Herself: *****
lampshade: *****
Blob: *****
Somagu: *****
Seriyu: *****
hihanhu: *****
Knoppi: *****
Konork: *****
Ischaldirh: *****
Full_Metal_Wolf: *****
ShinMajin: *****
Unknown_Entity: *****
covaks: *****
Battleguy: *****

//ASK ERNOMOUSE OR BORED FOR YOUR PASSWORD. IRC IS THE BEST OPTION? // -ERNOMOUSE

Please sort your security out and change ur passwords as I have access to all details such as emails etc... too, you're lucky I'm a whitehat.

p.s. I've changed the password to the account I'm using to post this message to prove a point, new password is *****

Not after causing any damage, as I say, I'm a whitehat. I'm a good guy who finds the security issue before the bad guys.

Herxode
http://twitter.com/Herxode

Display profiles is complete

Thanks, it's fixed.

Haha Thanks Somagu, it's fixed

Okay I think I've fixed the editing bug. The marking forums read I haven't figured out yet.

Well, this is spam not hackers so I'm not as concerned.