[Home] [Downloads] [Search] [Help/forum]

Gammon Forum

See www.mushclient.com/spam for dealing with forum spam. Please read the MUSHclient FAQ!

[Folder]  Entire forum
-> [Folder]  Forum
. -> [Folder]  Problems
. . -> [Subject]  Password Issue
Home  |  Users  |  Search  |  FAQ
Username:
Register forum user name
Password:
Forgotten password?

Password Issue

It is now over 60 days since the last post. This thread is closed.     [Refresh] Refresh page


Posted by Digs   USA  (17 posts)  [Biography] bio
Date Fri 15 Jun 2012 04:04 PM (UTC)

Amended on Fri 15 Jun 2012 04:08 PM (UTC) by Digs

Message
I can log in and post, but when I attempt to edit my profile or change my password I get the following error (email redacted):

Quote:

Update failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Qxqd5dtR&', email = 'xxxxx@xxxxx.com', show_email = '', allow_mail = '', u' at line 1
[Go to top] top

Posted by Nick Gammon   Australia  (21,322 posts)  [Biography] bio   Forum Administrator
Date Reply #1 on Fri 15 Jun 2012 08:49 PM (UTC)
Message
Looks like your password somehow got a quote symbol in it. Don't use that in future. I've changed the password, so do a password recovery to get it back.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Worstje   Netherlands  (899 posts)  [Biography] bio
Date Reply #2 on Fri 15 Jun 2012 10:34 PM (UTC)
Message
The proper fix are known as parametrized queries, or at least proper escaping.

There is nothing wrong with having quotes, double quotes, backticks, spaces and so forth in ones password or anywhere else. Besides that, errors should be displayed in your error log, not on the website itself. It is unsafe and, in case of queries, gives hackers information on your database layout they can use for their next attempt.

Also... am I misinterpreting that error or are you not protecting passwords at all? Seriously? Passwords should never be saved plain text, should be hashed with a user-specific salt through means of a proper password hash.

Please fix these problems; all of them were barely excusable in the late 90s, but nowadays there is plenty of information around on how to do it better and protect your users information. :)
[Go to top] top

Posted by Nick Gammon   Australia  (21,322 posts)  [Biography] bio   Forum Administrator
Date Reply #3 on Sat 16 Jun 2012 02:23 AM (UTC)

Amended on Sat 16 Jun 2012 02:24 AM (UTC) by Nick Gammon

Message
Good suggestion Worstje.

The password handling has been hardened, and it no longer stores passwords in plaintext.

I must admit that the password part was one of the first parts of this forum I did. The only real justification was that you could retrieve your old password if you lost it.

Now, if you forget your old password it will generate a new random one and email you what it is.

There is a slight downside to that, but I won't advertise what that is right now. :)

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Digs   USA  (17 posts)  [Biography] bio
Date Reply #4 on Sat 16 Jun 2012 03:03 AM (UTC)
Message
All good. Thanks Nick!
[Go to top] top

Posted by Worstje   Netherlands  (899 posts)  [Biography] bio
Date Reply #5 on Sat 16 Jun 2012 09:54 AM (UTC)
Message


Thanks for acting so speedily on this security issue, Nick! :)

Did you also review other queries and parameter handling on the forum? No point in fixing one error if there's others lurking still. :)

Also, I saw this a few weeks back and bookmarked it; maybe it'll be of interest to you: http://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
[Go to top] top

Posted by Nick Gammon   Australia  (21,322 posts)  [Biography] bio   Forum Administrator
Date Reply #6 on Sun 17 Jun 2012 01:35 AM (UTC)
Message
I'm uncertain how secure the forum is against carefully crafted attacks, because at the time I wrote it PHP (and the MySQL interface) were incredibly confusing to use. You had to constantly "escape" and "un-escape" user data, and it was a nightmare being sure if it was properly escaped or not. Occasionally you would see things like:


Nick\'s idea


in something like a thread subject line, which means the escaping was out of balance.

Quote:

... maybe it'll be of interest to you ...


Interesting article thanks! Mind you, security consultants have a vested interest in making you afraid. Just imagine a world where we didn't fear each other, hackers, people with different beliefs, and so on! Gosh, you could walk down the street and not be afraid.

At the end of the day, as Bruce Schneier points out, you have to weigh up the cost of security against the end benefit. And if you put in "too much" security, people work around it. Just as an example, technically web sites like this should be secure because you have to log into them. But browsers these days remembers passwords for you, to save you remembering them and typing them, so someone can walk up to your PC and log onto the forum, while you are out of the room. And nothing I do will stop that.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Worstje   Netherlands  (899 posts)  [Biography] bio
Date Reply #7 on Sun 17 Jun 2012 04:11 AM (UTC)
Message
Oh, I know they have a vested interest in getting us scared. But everything in that article makes a lot of sense, and with CUDA and similar graphics-card processing options bruteforcing has become way, way easier in recent years.

As for escaping/unescaping.. I agree it is confusing. But assuming you don't have stuff like magic_quotes on (ewww) it is just a matter of doing a mysql_real_escape() or whatever that function is called when you are putting stuff inside your query. (But parameters are still the best.)

As for passwords being saved in the browser... I don't do that. Never do, even. I do use KeePass, but that has way more security features than any browser ever will, so I feel pretty safe with that. :)
[Go to top] top

Posted by Nick Gammon   Australia  (21,322 posts)  [Biography] bio   Forum Administrator
Date Reply #8 on Sun 17 Jun 2012 05:49 AM (UTC)
Message
I did a bit of a rant about passwords on the Arduino forum a few days ago. Here it is:




I hate passwords with a passion, and here's why:

1. If they are long enough to be secure, you won't remember them, so you have to write them down. So, all someone has to do is find where you wrote them.

2. Most sites have a way of "recovering" passwords (eg. your bank). So they ask you a series of questions hopefully only you know, eg.


  • Your birthdate (your parents would know that, and your friends)
  • Your address (your friends and businesses you deal with would know that)
  • Your telephone number (same problem)
  • Your bank account number (hardly private information)
  • Your mother's maiden name (hardly a secret to your entire family)


So they have replaced a (possibly secure) password with the need to know the answers to a few simple questions.

I know you can keep passwords in a "password file" on a computer, but when you are in a shopping center trying to activate a mobile phone, and they say "what's your telephone access password?" I just say "I don't know" (which is true).

3. Even assuming you can remember one secure password you certainly shouldn't use it for every site, in case one is compromised (eg. by hackers). So you don't have to remember a single password, these days you have to remember hundreds.

4. Again, you can use a "password chain" but if you were using one, that is where I would concentrate my cracking efforts. Break that, and I have the lot! And it's hardly rocket science to crack it. Just insert a "keystroke logger" (dongle) between the keyboard and CPU, and come back a day later and harvest the password(s).


There was a funny photo on a website recently, where someone was being interviewed for some TV sports program, and clearly behind him on the wall was taped all their network passwords! Mind you, I've seen exactly that done in offices where I have been called in to assist.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
[Go to top] top

Posted by Worstje   Netherlands  (899 posts)  [Biography] bio
Date Reply #9 on Sun 17 Jun 2012 06:01 AM (UTC)
Message
Yeah, I know all of that. :/ Those security questions and limitations really drive me up the wall. (Even though I don't use social media like FB and Twiter, meaning getting my mothers maiden name actually takes some detective skill. :P) As for passwords, mine are usually 20+ characters long, and ones I don't even want to remember that KeePass remembers for me are about 40+. That xkcd comic about password complexity is pretty funny in that regard, although it also has its weaknesses if you are sure people follow the exact recipe. So I mix and match old-style and xkcd-style passwords for best results.

For KeePass, it is somewhat nice though. They have an obfuscated entry routine (mouse movements, ctrl-c/v, backspace and delete) to make it harder for sofware keyloggers. As for hardware keyloggers between my keyboard.. they won't work, as keepass types my passwords for me.

Anything can get broken if you give it enough chances. But KeePass takes 2 seconds to verify my password, meaning that bruteforcing is a pain. Once logged in, KeePass locks itself after I've been inactive or lock my work station.

If you mis-use your password-chain, it is useless. If you treat it well, and make sure to update the software once in a while (just to be safe) you should be fine with it.
[Go to top] top

Posted by Digs   USA  (17 posts)  [Biography] bio
Date Reply #10 on Sun 17 Jun 2012 06:11 AM (UTC)
Message
You can use two-factor authentication to secure KeePass's database. Keyloggers alone will not break that.
[Go to top] top

Posted by Worstje   Netherlands  (899 posts)  [Biography] bio
Date Reply #11 on Sun 17 Jun 2012 06:56 AM (UTC)
Message
Yeah, I know. But that goes into the edge of more trouble than it is worth if you want to be mobile and safe at the same time. :)
[Go to top] top

Posted by Digs   USA  (17 posts)  [Biography] bio
Date Reply #12 on Sun 17 Jun 2012 08:14 AM (UTC)
Message
For mobility, keep a copy of your KeePass password/key protected database stored on Dropbox, and synchronize it with your remote devices (don't store your key there). KeePass and Dropbox have clients for many devices, including mobile phones.

If the device you're using is secure, then keep a copy of the key on it. If it's not, then put the key on a thumb drive. If it's really insecure (shared computer), then you're better off with an OTP system (http://en.wikipedia.org/wiki/One-time_password).

[Go to top] top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.


9,674 views.

It is now over 60 days since the last post. This thread is closed.     [Refresh] Refresh page

Go to topic:           Search the forum


[Go to top] top

Quick links: MUSHclient. MUSHclient help. Forum shortcuts. Posting templates. Lua modules. Lua documentation.

Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.

[Home]


Written by Nick Gammon - 5K   profile for Nick Gammon on Stack Exchange, a network of free, community-driven Q&A sites   Marriage equality

Comments to: Gammon Software support
[RH click to get RSS URL] Forum RSS feed ( https://gammon.com.au/rss/forum.xml )

[Best viewed with any browser - 2K]    [Hosted at FutureQuest]