[uxcn]

It used to be a salted MD5 hash, but it may have changed.

[krapp]

I would have assumed of course that the size limits were because the passwords were being stored in plaintext in fixed-length fields, but I guess they wanted to make sure they were 'complicated' enough? I guess salted md5 is literally better than nothing.

The character limits for usernames, though... smells like a SQL injection issue. Which is an obvious and completely naive thing to assert but they're using PHP so my immediate thought is that they're passing raw userdata into the database as strings.

[uxcn]

my immediate thought is that they're passing raw userdata into the database as strings

That was my first thought too. I'd guess that it's a vulnerability somewhere in the code for handling the forums.

I would be willing to bet that they could get rid of a lot of the attack surface just by using standard services for certain things.

[krapp]

Probably. If they're not using PDO then that needs to be their first priority, dead stop. After that, maybe looking at their captcha script, because those sometimes have issues if they're not well designed. I don't know where theirs comes from but it doesn't seem to use much obfuscation so it's probably old. After that, Twig.

Although judging by a screenshot of the recent hack[0] posted here[1] escaping (and XSS) may not be an issue.

[0]https://i.imgur.com/pl22srz.png

[1]https://news.ycombinator.com/item?id=9990221

[ProjectEuler]

Admin from PE here.

We've already been using PDO. As for overall privacy/security, please see https://projecteuler.net/privacy

[krapp]

And PHPass as well, fair enough.

Thank you for showing up and addressing my armchair criticisms. I appear to stand corrected.

[uxcn]

I genuinely hope the security hole is findable/fixable. Thank you guys for continuing to run an awesome service, despite asshats repeatedly trying to abuse it.

[sfrank2147]

Thanks for the response!