Security Problem,maybe user's password visible

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • s-team
    New Member
    • Sep 2017
    • 1
    • 5.3.x

    Security Problem,maybe user's password visible

    Hi
    I have questions about security.
    I do not want to buy vbulletin. I only want question about using vbulliten as a froum user.
    In this site: [removed]
    I and my friend have username each of us has only one username therefore 1 username is blong me and other username blong my friend.
    We use one password because sometime we use account of each other.
    we use public vpn with 16 countries IPs.
    we use computer and tablet and phones of own(i only use my computer and tablet and my friend only use his computer and tablet)
    Several days ago i and my friend banned by [removed] they said you are one person with 2 accounts and it is forbidden by rule of that forum.
    Because our computers was defferent and only password of our was common we think they compare user passwords with a plugin or they saw passwords in database.
    we know password of vbulletin in user computer by javascript convert to md5 then send to ISP and vb hosting server and then reencrypte again.
    Also we know some Iranian vbulletin forums changed script for sending plane password to their database.
    But we do not know webhostingtalk.ir do that or not.

    We think strongly they compared passwords becuse we have defferent computer and we post and write in their forum defferent content and text.
    Therfore they only by compare our passwords , misconstrue we are one person with 2 accounts.

    1-I want to know do you sell a plagin that for finding same user with 2 account compare users passwords?

    2-please show us a way for secure using vbulletin, we can checck a vibulletin script password certainly convert to md5 and not bungle by owner of any site? (for exam you provide a software for control passwprord post by md5 by any user any vbulletin forum)

    Thanks
    Last edited by BirdOPrey5; Fri 22 Sep '17, 12:19pm. Reason: Removed URL of forum
  • Mark.B
    vBulletin Support
    • Feb 2004
    • 24286
    • 6.0.X

    #2
    Hello

    We are unable to provide any support to end users of vBulletin forums. You would need to direct your query to the owner of the site in question.
    MARK.B
    vBulletin Support
    ------------
    My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
    My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

    Comment

    • Wayne Luke
      vBulletin Technical Support Lead
      • Aug 2000
      • 73981

      #3
      It is doubtful they even looked at passwords. Most likely investigative source was the recorded IP Addresses. It is not possible to view passwords in the default system. Each user receives a SALT string which is unique to the user. This makes password hashes for each user unique, even if it is exactly the same password. The Administrator never even sees a password anywhere in the default system. To securely use vBulletin you should create two accounts with individual passwords and follow the rules and guidelines with the site in question. Your issue isn't with the vBulletin software but with the site in question because you violated their rules.

      Currently, vBulletin doesn't use MD5 as it is prone to brute-forced based collision attacks. Previously when we did, the algorithm was MD5(MD5(password) + Salt). The Salt was between 3 and 30 randomly generated characters depending on the version of vBulletin. Today, vBulletin uses a Blowfish algorithm to hash the password with a 30 character alpha-numeric salt that is randomly generated.

      That said, vBulletin is a visual source product and any number of after-market code modifications may be made by site owners after they download the product. We have no control over this.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment

      • K a M a L
        Senior Member
        • Dec 2009
        • 118

        #4
        There are a lot of methods for multiple account detection .. one of them is by using persistent cookie .. there already a vBulletin plugin to do this https://www.vbulletin.org/forum/showthread.php?t=183268
        no one will think of looking into your password to match account .. though it is possible for site admin to log plain text passwords of users for any software .. not just vBulletin .

        Comment

        • BirdOPrey5
          Senior Member
          • Jul 2008
          • 9613
          • 5.6.3

          #5
          The bottom line is any forum software that is self hosted like vBulletin (besides vBCloud) can be edited by malicious Administrators or hackers to show/capture plain text passwords. This is why it is critical you use unique passwords for every site, this way it is useless for the Administrator of any site to only know your password for that site.

          Further, unless the administrator tells everyone, you can never know what sites may store plain text passwords and which do not.

          Comment

          Related Topics

          Collapse

          Working...