Horrible password problem

[charpress]

YaBB SE Version: 1.5.1 Final
Server Platform: Unix, Linux, or BSD

Problem Description:
Here's my sad story:

My server decided (by mistake) that I was past the disk quota just as I was in admin and trying to delete old posts. The database was fried.

Luckily I had backed it up, but I also had to do a new install of 1.5.1 because most of the important files were fried as well. Here's the problem: I didn't really stop to think that the new install would create a new encryption key.

Now I have 1,600 users who will not be able to access the board (including me, the admin). Is there any way to have the encryption key match the database? Am I totally screwed on this?

[charpress]

The only thing I can think to do is to replace everyone's secret word with something so that each person can re-create their own passwords from the "forgot password?" window. Replacing both the secret word and the secret question with the same word would make this relatively painless for the users.

I hope someone has a better idea than this.  

[Chris Cromer]

That is a bad idea, if you did that anyone could steal anyone else's account.

I can't remember what version, but if you upgrade to 1.5.5 it should have code in it that will allow passwords to use either the old encryption method or the new one.

So I recommend following the upgrade path on the downloads page to reach 1.5.5 which will be able to use either the old encryption or the new.

[charpress]

I gave the security issue some thought, but in the real world what would stealing someone's account do?

It's just a forum for people to ask questions and exchange ideas.

I will look into upgrading. I really have been hesitating since every upgrade brings up issues that result in yet more work.

This all came about because I wanted to delete posts that were more than a year old. That doesn't work in 1.5.1, by the way. You just get an error message.

Thanks for the help.

[Chris Cromer]

There are security issues if you don't upgrade. Security holes get fixed as well as bugs between the versions. It is always best to keep the forums uptodate.

I gave the security issue some thought, but in the real world what would stealing someone's account do?

It would let them post as that other person. And if the account that they steal has powers like admin, global moderator, or moderator they could delete stuff like posts or members or whatever else. They could also steal people's accounts and use the delete user button in their profile and delete tons of your members. Plus they could collect e-mail addresses of the people's accounts that they steal. And do you want people impersonating other people?

[charpress]

Yes, you're right. I can't disagree with any of that. Yet something had to be done on the short term to get people back where they were.

Lots of angry people tend to make you do whatever is fast.  

I wonder if an upgrade will have the effect of choosing between being able to access old passwords or keeping new passwords?

I'm still left wondering why the delete old posts function from the admin panel didn't work. This all came about because the server host was unhappy about the size of my database.

Am I reading your karma right? A minus 4 billion or so?

[Chris Cromer]

Well you can't choose between old password format and new. But what it does is compare the password to the old password system. If it matches then it converts the password to the new password system and saves the new password to the db. If it does not match then it attempts to compare it to the new password system. If it matches then the password is correct. If it still does not match then the password is wrong.

So all the old passwords would be converted to the new password system the first time a user logs in with the old password system.

Yeah you are reading my karma correctly. That is the lowest possible karma that can be acheived in YaBBSE.

Not sure why the delete old posts function would not work...