miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
Custom Tutorials and Modifications miniBB Support Forums / Custom Tutorials and Modifications /  
 

Updating passwords of all users

 
Author Anonymous
Guest
#1 | Posted: 23 Nov 2005 14:13 
Hi there;
After noticing how easy to guess were users' passwords, I wrote a little piece of code for update every users' passwords to something more complicated to guess.
It's higly customizable, especially the generation of the password part. Right now, it makes the password look like this:

{consonant}{vowel} * $amount_of_chars / 2 + {number} * $amount_of_numbers

Like this:

sareguli1562 (with amount_of_chars = 8 and amount_of_numbers = 4)

(You should also consider changing the minibb minimal password length requirement).

It should be upgraded to do $max_users at a time, then auto refresh itself. If needed I'll do it for you.

The code :

<?php

//CONFIGURATION PART

define("from_email","admin@yoursite.com");
define("amount_of_chars",8); //can be divided by 2
define("amount_of_numbers",4);
define("email_subject","Your password has been changed");
define("email_content","
<html><body><br>
Hi %USERNAME%,<br>
For security of the forums and your account, all the passwords have been changed to stronger ones.<br>
<br>
Please take note of your new password : <b>%NEW_PASS%</b><br>
<br>
Thanks.</body></html>
");

//END CONFIGURATION PART

if ( ! include_once("setup_options.php") ) die("Could not include setup_options.php");
@set_time_limit(0);//may not work on your server (if safe_mode is on)

function send_mail($to,$sujet,$message) {
$headers = "From: ".from_email."\n";
$headers .= "Return-Path: <".from_email.">\n";
$headers .= "Date: ".date("D, d M Y H:i:s") . " UT\n";
$headers .= "Reply-To:".from_email."\n";
$headers .= "X-Mailer: PHP/".phpversion()."\n";
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\n";
if (!@ mail($to, $sujet, $message, $headers)) {
return(false);
} else {
return true;
}
}
function new_password() {
$chars1 = "bcdfghjklmnpqrstvwxz";
$chars2 = "aeiouy";
$pass = "" ;
for ($i=1; $i <= amount_of_chars ; $i++) {
$pass .= substr($chars1, mt_rand(0, 22), 1);
$pass .= substr($chars2, mt_rand(0, 5), 1);
$i++;
}
for ($i=1; $i <= amount_of_numbers; $i++) {
$pass .= mt_rand(0, 9);
}
return $pass;
}

$sql=@mysql_connect($DBhost,$DBusr,$DBpwd);
if ( ! $sql ) die("Could not connect to mysql server");
$sqldb=@mysql_select_db($DBname);
if ( ! $sqldb ) die("Could not select db");

$total_users_count=mysql_query("SELECT COUNT(user_id) FROM ".$Tu);
$total_users_count=mysql_fetch_row($total_users_count);
$total_users_count=$total_users_count[0];
$done=1;
$current=2;

while($done < $total_users_count) {
$res=@ mysql_query("SELECT username, user_email FROM ".$Tu." WHERE user_id=".$current);
if ( !$res ) {
$current++;
break;
}
$res=mysql_fetch_row($res);
$pass=new_password();
$content=email_content;
$content=str_replace("%USERNAME%",$res[0],$content);
$content=str_replace("%NEW_PASS%",$pass,$content);
if ( !send_mail($res[1],email_subject,$content) ) die("Could not send email");
$update=mysql_query("UPDATE ".$Tu." SET user_password = '".md5($pass)."' WHERE user_id =".$current);
$current++;
$done++;

}
echo "Updated ".$total_users_count." users accounts. NOW DELETE THIS FILE";



Hope this can be usefull to someone :)

Author Anonymous
Guest
#2 | Posted: 23 Nov 2005 14:14 
Forgot to mention :

$done=1;
$current=2;

Because we should not upgrade main admin's password.

Author Team
8-)
#3 | Posted: 26 Nov 2005 20:40 
That all sounds fine, but still not clear for us:

1) What do you mean by "easy to guess were users' passwords" and which way another encoding of user password helps, if it is easy guessed (not even encoded!)

2) What you code actually does and how it could be helpful for miniBB users.

Author Anonymous
Guest
#4 | Posted: 13 Dec 2005 11:48 
1) I mean many users choose passwords like female name, car name, city name, date of birth and other short or easy to guess passwords. I mean by easy to guess passwords that can be found in dictionnary.
What I do is not another way of encoding password (O_O) it does ... :

2) That script change every user of minibb password, and email them the new password.
The email content can be modified in the top of the file.
That script generate special passwords, that "should be" easier to remember than 8*{random character or number}, because it alternates consonants and vowels.

Compare yourself an autogenerated password from 99% of the websites on the internet : fg5zko3p
And one generated with that script : faritu01

That script has two goals :
-Make all your user's passwords stronger (not guessable with dictionary attack and hardly guessable with bruteforce)
-Make new passwords easy to remember because you can "say" them.

Ah don't really know how to say it in english. Try to pronounce/say/tell fg5zko3p and then try with faritu01.
Those two passwords has the same security level, but one is easier to remmember?

Author Team
8-)
#5 | Posted: 13 Dec 2005 14:52 
Ok, we understand now idea with easier-to-say passwords (so function new_password() is probably the most interesting part of your code). However, we don't think it's a programmer's task to care about user's password. Internet has it's own rules and ethics, the same as any other sphere. When you come to restaurant, waiter should not teach you how to take knife and fork - his goal is just to serve your table.

Anyway, thanks for the code and explanation... hopefully it will be useful for someone.

Author Anonymous
Guest
#6 | Posted: 13 Dec 2005 19:49 
Yes I know but not all users care abotu their passwords, and it's a problem if the hacked account has access to some private forums.

Yes I hope it can help someone, if you want you could rewrite my code/message and make it more english comprehensive :P

Custom Tutorials and Modifications miniBB Support Forums / Custom Tutorials and Modifications /
 Updating passwords of all users
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Get the Private Messaging add-on: allow your miniBB-forums members to communicate with each other.


  ⇑