FH news Security change

[Deebs]

Being such an anal person when it comes to security I have managed to get our resident coding monkey, SheepCow, to write an addon which converts your old MD5 password to the current default XenForo format of SHA-256 upon login instead of a password change.

This means that your password is converted to a much more secure hash sooner (ie on your login) instead of waiting for you to change your password. If you want to ensure your password is stored using a stronger hash then all you have to do is logout of the forums and then log back in.

 

[Gwadien]

Secure strong hash? Keep dem dirty pigs away, good man.

 

[Deebs]

Update:

Managed to convince FreddysHouse resident coding monkey SheepCow to develop an additional addon which converts your stored password to use BCrypt. Unlike most of the common hashes which can be run on a GPU and therefore attempt millions of passwords per second BCrypt is highly resistant to run on a GPU due to its memory requirements, also it is not a hash but a block cipher.

Basically in layman terms, your password is now being stored using an algorithm which is secure and resistant to brute force attacks using GPUs and CPUs. As a guide, each password takes 1.2 seconds to convert to BCrypt before comparision with the stored version

 

[sayward]

ye gods i really am going to slit my wrists!