Reset All Passwords - best method?

twohawks · 2010-01-03 18:49:04

Hi folks,
Happy New Year to you all... I hope flux has a great year!

Problem today is an administrator had her computer stolen. I shut down two fluxbb-run sites.
I am mostly through the woods, right now I hve the two BBS's in maintenance mode

...I am wondering what you feel the best procedure is for resetting all the user passwords !

Thanks ;^)
TwoHawks

Smartys · 2010-01-03 21:30:50

Hmm, I think you're over-reacting a little (although I might just not have all the information): a stolen computer is a long way from all account passwords being compromised.

A couple questions:

1. Did the computer in question have the administrator's username/password saved?
2. Did the computer in question have a copy of the forum's database saved on it?
3. Does the administrator have access to the database from their computer (either via an admin plugin or via a tool like phpMyAdmin, where the login details are saved on the computer)?
4. If 3 is true, has anyone accessed those tools using the compromised account since the theft?

Depending on the answers, you may not have to reset everyone's password: you may just have to reset the password for the compromised account (or you may need to do nothing at all).

That being said, if you want to reset everyone's password, look at the code for password resets in login.php. You would have to code your own solution, but the code that exists can already handle resetting multiple accounts: you just need to take it and use it elsewhere.

Last edited by Smartys (2010-01-03 21:31:40)

twohawks · 2010-01-03 23:11:13

Thanks Smartys.

Answers:
1. Did the computer in question have the administrator's username/password saved?
Yes

2. Did the computer in question have a copy of the forum's database saved on it?
No

3. Does the administrator have access to the database from their computer (either via an admin plugin or via a tool like phpMyAdmin, where the login details are saved on the computer)?
Yes
4. If 3 is true, has anyone accessed those tools using the compromised account since the theft?
No, but the theft (automibile theft with PC's in it) occurred only hours before I closed the sites.

***5. This administrator controlled her user's passwords herself (don't ask me why - I don't/cannot control her choices), so not only are her admin codes on the PC, all the user's passcodes are there as well.

I guess I will have a look at the login.php and see if its faster to deal with that, or simply go and change them all manually.

Thank you for the reply and assistance ;^)

twohawks · 2010-01-04 00:10:54

What I decided might be easiest and fastest thing to do is to
1) log into the database
2) determine the user ID's I do not wish to change/reset, such as Admin, Guest, and the other Admin... and then
3) issue an sql statement directive for resetting all passwords to blank... (could be anything really, but blank will undoubtably fail the authentication test)
4) when users try to log in they will be prompted with the "forgot password" prompt... and they can simply change them.

SQL USED once logged into database...

UPDATE `databasename`.`prefixUSERS` SET `password` = '' WHERE ((`prefixUSERS`.`id` > 3) AND (`prefixUSERS`.`id` != 7))

...adjust numbers accordingly... kind of thing.

Smartys · 2010-01-04 01:08:03

The alternative is to write a script using the code from http://fluxbb.org/trac/browser/fluxbb/t … n.php#L109. Replacing the WHERE clause of the query with your WHERE clause would have been enough: it would have been a copy/paste job other than that.

Also, an admin storing unencrypted passwords for users directly on their computer? Really?

Last edited by Smartys (2010-01-04 01:08:23)

Forums

#1 2010-01-03 18:49:04

Reset All Passwords - best method?

#2 2010-01-03 21:30:50

Re: Reset All Passwords - best method?

#3 2010-01-03 23:11:13

Re: Reset All Passwords - best method?

#4 2010-01-04 00:10:54

Re: Reset All Passwords - best method?

#5 2010-01-04 01:08:03

Re: Reset All Passwords - best method?

Board footer