Shortening Security Code in Nuke 6.5 RC2

Elite Nuker Joined: Nov 20, 2002 Posts: 237

Had a request from some of my users so figured I would ask. (Well actually they asked me to remove it altogether and I said no Wink

)

Anyways is it possible to shorten the random number that is generated from the security code?

I have an admin that is doing a lot of testing for me and is logging in and out of the site alot as different users with different authorization levels and what not and I guess his little fingers are starting to hurt, so I told him I would ask Wink

Elite Nuker Joined: Nov 20, 2002 Posts: 237

The code responsible for generating the random number looks to be in the index.php of Your Account module.

Code:

function gfx($random_num) {
global $prefix, $db, $module_name;
require("config.php");
$datekey = date("F j");
$rcode = hexdec(md5($_SERVER[HTTP_USER_AGENT] . $sitekey . $random_num . $datekey));
$code = substr($rcode, 2, 10);
$image = ImageCreateFromJPEG("modules/$module_name/images/code_bg.jpg");
$text_color = ImageColorAllocate($image, 80, 80, 80);
Header("Content-type: image/jpeg");
ImageString ($image, 5, 12, 2, $code, $text_color);
ImageJPEG($image, '', 75);
ImageDestroy($image);
die();
}

I was thinking that in the line $code = substr($rcode, 2, 10); I could just change the 10 to like 6 and that should do the trick? But I am afraid to try it as I have users on the site already and I figure if I mess that one up it could be bad Wink

I really think this is a cool feature but I hear what my people are saying. A User name + password + 5 user random number should keep any script kiddie just as busy as a 10 digit number. Especially since the site this is on isn't mission critical or anything I doubt anyone would get much joy out of hacking it.

Thanks in advance for any info on this matter

Major Joined: Jan 13, 2003 Posts: 892

I think if you change all (4) instances of
$code = substr($rcode, 2, 10);
to
$code = substr($rcode, 2, 6);

That will work. For admin you would have to do the same in admin.php I didn't try the admin.php but seems to work fine for Your Account so it should work there too. Though of course a 6 digit # is much less secure then a 10 digit # just like a 5 char pass is much less secure then a 7 char pass.

Lieutenant Joined: Mar 11, 2003 Posts: 180

seems to me that the code isn't very secure at all, cus if you right-click on the image, it has the number in Properties... any decent scripter could easily have the script read the image title and pull out the number...

i know this cus i just installed nuke 6.5 rc3, and the damn security image isn't showing up (tho it shows up in analyze.php), and i had to login somehow

Joined: Jan 31, 2004 Posts: -88

erm..... yes and no. That number in the properties shouldn't be the same as the one on the security code block. If it is something's wrong.

AI

Lieutenant Joined: Mar 11, 2003 Posts: 180

hmm... i'll have to check it now, but i've installed RC3 twice, and had to login using that method each time...

Posted: Tue Mar 25, 2003 10:30 am

How do you get the Image to center in the Block after chaning it? out of curiosity? BTW. Thanks. Smile

Posted: Tue Mar 25, 2003 11:04 am

Cyberclark wrote:

Had a request from some of my users so figured I would ask. (Well actually they asked me to remove it altogether and I said no Wink

)

Anyways is it possible to shorten the random number that is generated from the security code?

I have an admin that is doing a lot of testing for me and is logging in and out of the site alot as different users with different authorization levels and what not and I guess his little fingers are starting to hurt, so I told him I would ask Wink

back to the original ?

6.5 Final has the security code shortened to 6 characters by default.

mikem

Posted: Wed Apr 02, 2003 2:52 pm

the new account security code at www.controlbooth.com shows 7 visible numbers and what appears to be another one that is hidden... Any suggestions or known fixes that I haven't found for this problem?

And... what part of the english language file do I need to copy to have that same page correctly display the English translation of those fields?