MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Global password resets
Full Version: Global password resets
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

kdevs

2013-09-16, 02:40 AM
Hey, my forum had a security issue and because of it, I would like to reset all members passwords and send a global email.

How can this be possible? The only plugin i found wasn't compatible.

Arbaz

2013-09-16, 03:14 AM
Password Reset

Plugin: http://mods.mybb.com/view/force-password-change

Open plugin file and find;

"compatibility"     => "1605"

and Change it into;

"compatibility"     => "16*"

Global E-mail

Go to ACP>Users & Groups>Mass Mail>Create New Mailing

kdevs

2013-09-16, 03:34 AM
(2013-09-16, 03:14 AM)Arbaz Wrote: [ -> ]Password Reset

Plugin: http://mods.mybb.com/view/force-password-change

Open plugin file and find;

"compatibility"     => "1605"

and Change it into;

"compatibility"     => "16*"

Global E-mail

Go to ACP>Users & Groups>Mass Mail>Create New Mailing

This helps, but we was hacked because of an XSS vuln. of ajax chat. I believe they have a list of a few users with their passwords because of it. So, I geuss my question is how to also globally reset all passwords on the forums?

Arbaz

2013-09-16, 03:41 AM
Well there's not much people can do with your database. The most they will try to do is to sell the accounts or DB. The force password change plugin will force all your members to change their password. If you want, you can change all your members password (By running a SQL query) to a certain password such as johnerty758 or something and send a mass mail. Tell your members that the password in the e-mail is their newly generated password and they have to use that password to log in to their account and change their password accordingly.

If you want the query, let me know.

kdevs

2013-09-16, 03:42 AM
(2013-09-16, 03:41 AM)Arbaz Wrote: [ -> ]Well there's not much people can do with your database. The most they will try to do is to sell the accounts or DB. The force password change plugin will force all your members to change their password. If you want, you can change all your members password (By running a SQL query) to a certain password such as johnerty758 or something and send a mass mail. Tell your members that the password in the e-mail is their newly generated password and they have to use that password to log in to their account and change their password accordingly.

If you want the query, let me know.

That would be nice. Thank you.

Arbaz

2013-09-16, 03:56 AM
I think the following query should do the trick:

UPDATE `mybb_users` SET `salt` = '', `password` = md5('password') WHERE `uid` = *;

Replace "Password" with the text of your choice.

Be sure to create a backup of your board before running the above query.

Krytic

2013-09-20, 10:46 PM
Unfortunately that won't work. MyBB's passwords aren't md5'd (that's actually a very bad idea to leave it at that), they are thrown through several hashes and a salt.

UPDATE `mybb_users` SET `password` = '098f6bcd4621d373cade4e832627b4f6', `salt` = '' WHERE `uid` = *;

Untested, but run this and everybody's password should be "test". But as Arbaz said, back up your board and db first.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Global password resets