# Protecting New Users From Themselves



## xmob (May 16, 2013)

It's a safe bet that there's going to be an exodus of biblical proportions of users from LET to here.

Considering that the LET user database has been compromised, what do we know of the hashing algorithm/salts used on LET?  I don't know enough about IPB, but is it possible to create a plugin that checks new users passwords are different to what was used on LET?

There's no need to reverse the hashes from LET, just regenerate them when a user signs up and make sure that the hashes don't match.

Could save a whole load of hurt in the future.  Just a thought.


----------



## shovenose (May 16, 2013)

I think that is a bad idea personally. But this forum could expire all passwords in a month or so when everybody is migrated to here.


----------



## Nick (May 16, 2013)

I don't want to get my hands involved with the database and I'm sure MannDude doesn't either.


----------



## Afterburst-Charlie (May 16, 2013)

What would be the best thing to do would be to simply shut it down for good, it has had its run.


----------



## shovenose (May 16, 2013)

Shut what down, LowEndTalk?


----------



## XFS_Brian (May 16, 2013)

To much drama on LET. Yes, I did visit to see how the community was doing but I personally got tired of seeing all the drama over who owned LET.


----------



## MannDude (May 16, 2013)

Nick said:


> I don't want to get my hands involved with the database and I'm sure MannDude doesn't either.


This.

Was it even confirmed that it was leaked? Either way, I don't want it and would not touch it.

It would be very wise however to not use the same password here, or anywhere for that matter. If your LET password was the same as, for example, the root pass on your servers, your email account, etc, then change everything immediately.


----------



## dAgent (May 16, 2013)

tbh my first thought after I saw admin access for everyone was - what if people just start grabbing the db or leak it publicly


----------



## MannDude (May 16, 2013)

dAgent said:


> tbh my first thought after I saw admin access for everyone was - what if people just start grabbing the db or leak it publicly


Was there an option in Vanilla to do this from the admin CP? Not quite sure.


----------



## mojeda (May 16, 2013)

MannDude said:


> Was there an option in Vanilla to do this from the admin CP? Not quite sure.


I don't think so, but visiting an user page showed the debug info that shows the user's password hash.

Does anyone know the extent of the hack? I assume it was just the front end that got hacked and no one was able to actually get into the server itself?


----------

