I've updated the script for enhanced password security. When I first started the Spam Board, the MD5 hash was already on the decline, but still ok. Nowadays, it's completely broken and it doesn't offer any real security anymore, so now something better is used (along with several other improvements for the passwords).

The downside is that your old passwords won't work anymore. Please use the 'Lost Password' function in the top menu to have a new password generated and sent to you. In case an outdated e-mail address is listed in the database, please contact me directly. After receiving your new password, you can of course change it to anything you like (including your old password) again by editing your profile.

Last, but not least, a note on version numbers. After rewriting much of the SQL queries (see last announcement), this has gone too far from what I wanted to do with version 5. So I'm demoting this script to the previously skipped version 4. More honest anyway.

Ah, yes, and it would be nice if one or two people could just reply so that I can see they succeeded in getting their new passwords.

I had no problems getting and using the new password.

A new password was e-mailed and it works, but when I try to change it to anything else in my profile I get "Error: Something is wrong with the input."

Can you try again? I actually think it's related to your avatar, not the password.

Works now!

Good

Replying here doesn't neccesarily mean anything. I, for example, was already logged in. :p

On the other hand, I do need my email address changed before I can send for the new password (see your private messages for details).

I changed your mail address as requested.


Looks like you found a bug there. I'll look into this. I assume you ticked the 'remember' checkbox when logging in initially?

Of course, I despise having to re-login every friggin time I return to a site. Since I don't use public computers, security really isn't an issue for me.


Got new password, set it back to my old password, logged out/back in, everything seems to work fine.

You're overlooking one issue: With these settings, the password is saved in a cookie. Cookies are sent to the server each time you call a page of the forum. Since the forum isn't accessable via SSL, that is done in plaintext. Of course, the contents of the cookie are encrypted with a secret key, so nobody should be able to get your password per se (eventually, every encryption can be broken, however, it shouldn't be feasable to do so), but even the encrypted contents of the cookie can be used as a token to impersonate you. Only on this board, of course, and only if someone actually intercepts the traffic (chances are extremely low unless the attacker is sitting on a node very near to you). So security is always an issue.

Having said all that, I'm using that option, too. At least on my home computer, not at university or at work. It's a tradeoff between security and convenience, and since I'm aware of the potential risks, it's a chance I'm willing to take.

Oh, and last, but not least, this is the same on all forums I know. In many cases, it's even significantly worse (passwords being stored in plaintext in a cookie, for example).

True, but as you said, it depends on someone A) intercepting traffic on the specific site in question, B) choosing me out of all the available members to hack, and C) taking the time to decrypt the key. Few people would go to that much hassle just to be able to post as someone on one single forum. Since the risk is so low, the convenience of not being plagued by login demands is much more important to me than security. If I was on a public computer it'd be different, but since I'm not...

Strike C from that list. There isn't any serious protection against so-called replay attacks if you're storing your user credentials in a cookie, encrypted or not. The encryption just prevents anyone from seeing the plain password, so if you're using the same password anywhere else, the attacker still won't be able to get into your account there. Your account here is open just by intercepting the encrypted cookie, though.