UBB.Developers Forums UBB.threads 7 Development How Do I? Passwords

I have been having some security issues on my boards from a competing forum lately and I finally figured out how they are doing it. They have been logging in under at least 1 mutual member that they helped with a pasword problem at their site and he happened to use the same password at ours. When I help someone and they forget their password or something and I edit their profile all I see in their password box is the astericks. Is there any way that they can get the other members password off of their forums and take the off chance they are the same as on ours? They are using 6.1.1 and have stated that they have read every pm from every member on our site. I have another admin that used the same password at both places.

Some possibilities:

1) If they know the user's encrypted password, they could easily write a script to encrypt dictionary words, or other guesses, until finding a match.

2) They could insert a line of code into the login script and record the user's unencrypted password when he types it in.

That's why using the same password on different sites is a really bad idea.

Thanks. I was going crazy trying to figure out exactly how they were doing what they were doing. I have made a post at my forums explaining what was happening and asked everyone to change their password if they are the same.

It would also be a good idea to password-protect your admin directory, if you're not already doing that. And you could remove some of the riskier admin functions, such as the one for doing MySQL queries, if you can get by without it.

Excellent idea, thanks