The following is a list of commonly asked questions about passwords in the Discus discussion board system:

1. How can I determine what a user's password is?
2. What do I do if I forgot the administrator's password?
3. What do I do if a moderator forgot his/her password?
4. What do I do if a user forgot his/her password?
5. Is there any way for a user to reset his/her password without asking a moderator?
6. Is it possible to decrypt a password in the password file?
7. Are plain-text passwords stored anywhere on the server?
8. Are plain-text passwords ever sent as cookies?
9. Are plain-text passwords ever stored on the visitor's machine?
10. How can I allow users to create their own accounts?
11. How secure is the Discus encryption mechanism?
12. Why do I see "crypt() unimplemented due to excessive paranoia"?
13. Is it possible for someone to use a brute force attack to crack password?
14. Can I modify Discus not to use encrypted passwords?
15. Can I disable the administration passwords being stored in a cookie?
16. Why do some other discussion board programs use plain-text passwords?
17. If a script can mail me my password back, is it stored in an encrypted format?
18. Why should I be concerned about the security of my password?
19. Can Discus just share my /etc/passwd usernames and passwords?
20. How can I make Discus work with my other membership script?
21. Can I use an external database to store my users?
22. Is there any difference between the encryption used in Discus Freeware and Discus Professional?
23. What script do I need to change to make Discus ........

You can't. For the security of the users, Discus stores all passwords in encrypted form. The algorithm used is the standard "crypt" function that comes as part of Perl. This is a one-way algorithm, meaning that to test whether a password is right, a user's guess is encrypted and then compared to the encrypted entry in a file. If a user forgot his or her password, read Q&A 4.

The administrator's password cannot be determined, as it is encrypted. However, it can be reset to the blank password like the first time you installed Discus. This can be done only if you have FTP (or telnet) access to your server -- it can't be done through the administration program for obvious security reasons. To learn how, read our document on resetting the administrator's password.

Log into the administration program, go to Moderator Manager and click the "Edit" button next to the moderator's username. There is a "Change Password" section where you can enter a new password for the moderator even without knowing the current password. There is no way for you (or anyone else) to determine what the old password was, as it's stored in encrypted form.

Log into the User Manager and click the "Edit" button next to the user's username (in the appropriate group). There is a "Change Password" section where you can enter a new password for the user even without knowing the current password. There is no way for you (or anyone else) to determine what the old password was, as it's stored in encrypted form.

Discus Professional 4.0 and higher include a "forgotten password recovery" feature, allowing a user to reset their password without asking a moderator. This useful feature saves time and effort, both for the user and the moderator.

No. Encrypted passwords cannot be decrypted. If a password is forgotten, follow the instructions to reset it for the superuser, moderator, or user.

No. Discus takes special precautions never to store plain-text passwords in any of its file or to cause those passwords to be stored in the server's logs.

No. Discus only sends passwords in encrypted form.

No. Discus does not cause plain-text passwords to be stored on the visitor's machine.

The one exception to this is that some browsers (IE 5+ and Netscape 6+) allow the user to have the browser remember the password. Should the user choose to allow the browser to remember their login information, it is the user's responsibility to manage and enable/disable as desired.

Discus Professional contains a user self-registration utility that allows users to create their own accounts. For more details, consult the administration instructions.

The encryption mechanism is the standard Perl "crypt" function, which is the same level of security used to encrypt unix passwords. There is no known way to decrypt passwords encrypted with this algorithm.

Some distributions of Perl, especially those for Windows platforms, do not include the "crypt" function because it was once believed that this function could not legally be exported to countries outside the United States. Both the old ActiveState perl ports and the new ActivePerl distributions have the crypt function implemented. Install (or convince your web host to install) a port of Perl that meets our system requirements.

A brute force attack is always possible (where one randomly or sequentially guesses passwords until a match is found). This is possible against any encryption algorithm. You should avoid common dictionary words as your passwords, as crackers often guess dictionary words. Passwords such as your username, the word "password" or something like "123" are particularly insecure. Good passwords consist of a combination of letters and numbers that are not based on words in the dictionary. (This advice applies to all systems, including your e-mail account, as well as to Discus!)

It's possible to modify Discus to do anything, but we don't support it. Besides, it's just not a good idea. Don't.

No, for several reasons. The main reason is that the password would end up getting stored in the server's access log (Discus 2.00, back in June of 1997, had this problem; this was fixed in version 2.01, July 1997, with the implementation of the cookie solution, and has not been a problem since). Your encrypted password in a cookie does not get stored in the server's log. If you insisted on making this change, it would require you to make substantial modifications to the script, which is of course unsupported.

It is shocking that some competing discussion board products do not extend to their users the security of storing their passwords in encrypted form. This spells bad news for the users if someone happens to get a hold of the password file in an unauthorized manner. We encourage anyone considering the use of any product to ensure that passwords are always stored in a sufficiently secure one-way encryption algorithm, such as that used by Discus. If passwords are not stored in an encrypted manner, we believe that it is the duty of the administrator to inform the users that their passwords are stored in such an insecure manner.

No. If a script can mail you your plain-text password, they certainly did not use a one-way encryption algorithm to store your password on their system. This is bad. See the previous Q&A for more.

If someone got your discussion board password, they could impersonate you by posting on the discussion board. Although this may not seem terribly serious, a majority of users hate remembering separate passwords for every application they use. Thus, many users utilize the same password for their e-mail accounts, on-line credit card and banking systems, and discussion boards. If you're using the same password for your on-line banking as you are using for your discussion board, and your discussion board password falls into the wrong hands, this is bad news.

No, Discus is not designed to do this. The reason: /etc/passwd is not writable to your web server (doing this would create all kinds of awful security problems on your site). Discus maintains its own separate databases, passwd.txt for moderators and users.txt for users.

Your best bet is to modify your other membership script to automatically add a Discus account when someone signs up for your site. The Discus code to add accounts is in the fcn-acct.pl script, under the "source" directory.

Note: DiscusWare does not support the modification of our (or your) scripts.

Discus Professional 4.0 (and higher) can use a MySQL database to store user and moderator data. This database is in Discus format.

Discus is not designed to interact with non-Discus databases. Discus maintains its own separate MySQL database tables, or in the case when the database link has not been enabled, its own files, to store account data.

No. Discus Professional adds several features, but the underlying structure is all the same. Discus Freeware and Discus Professional passwords are encrypted in the same manner, and both products must meet our high security standards before being released to the public.

DiscusWare does not support the modification of the scripts or the source code, so we cannot answer this question for you. You are free to modify Discus for your own use, so long as you comply with the license agreement (especially that you do not remove copyright notices and that you do not redistribute the code or your modifications). However, DiscusWare will not answer any questions regarding modifications of the script or provide support in instances where scripts have been modified.