We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
IMPORTANT! Have you received an email to your forum username?
Options
Comments
-
Time for some more techie stuff, I think.
Behold: the laymans guide to forum password security
The passwords here are not encrypted. That is a two way process with a defined unencryption process. vBulletin forum passwords are double hashed (including a 'salt') - a process that cannot be reversed. The actual password is NEVER saved on the database, only the double hashed version is stored, and also the random 'salt' element used on your password (which is specifically generated fo that account).VictimOfImpersonation wrote: »Databases like MSE's evidently contain email addresses linked with usernames linked with (encrypted) passwords linked with IP addresses. I am not sure how difficult it is to decrypt encrypted vBulletin passwords, or whether a hacker would even need to try.
So, how do you log in if it doesn't save your password? Well, when you enter your password to log in, the forum takes what you have typed in, and runs it through the hashing process. If the end result matches what it has saved for the account name you gave, it lets you in. If it is different, then it knows the password is incorrect.
So your password can never be directly retrieved from the database - which is also why if you forget it, you have to have it reset, not sent to you.
Your password CAN, however, be 'cracked' - but unless you are using a weak password (real words, common passwords) that can be easily found using a dictionary attack (where they throw a list of common passwords at the hashed version very, very fast to see if one matches), it needs a brute force attack and can take a LONG time. The longer a password is, and the more unusual it is, the harder it is to crack.
A dictionary attack is where hackers use of a list of well-known passwords (such as 'password', 'letmein', '1234567890', common names, makes of car etc.) and run it against the encrypted password list. This means trying out every password in the dictionary against every single user file - but that is a task that can take mere seconds on an average machine, even on very large data files.
A brute force attack is similar to a dictionary attack, but it tries ALL possible password combinations. Of course, that takes a LOT of time, so it's not uncommon for the hacker to limit what they try - for example, to only use lower case letters and limit the password length to 8 characters.
Now, I've not done exhausting research into brue force attacks, but in ballpark terms then assuming 100 million tries per second (a reasonable attack rate) on a strong eight letter, non dictionary password knowing both hashes and salts, it would take about three hours to crack a single password. A strong twelve letter password (again non dictionary) on the other hand, would take over 30 years to crack on a machine running at a billion tries per second.
The addition of a 'salt' (an extra bit of data to the original password, which is randomly generated and stored separately) to the hashing process also means that they can't crack one password and then use the information gained from that exercise to read everyone elses - each one would have to be cracked individually. So your average hacker, even one with a lot of resources, isn't going to waste time trying to crack every single password on a site, but will go after the 'low hanging fruit' - those which can be harvested by a dictionary attack or a short brute force effort. Unless they have a target account whose password they REALLY want, anything else is a waste of effort.
So, in short, password length and complexity are the biggest security factors, NOT the form of encryption used. If you use 'password' or 'letmein12345678' as your password, it will be discovered in milliseconds by a basic dictionary attack no matter how securely it is hashed/encrypted. Use something like 'tHD)eG4Su£a', on the other hand, and it's pretty much safe from cracking.
As general rules:
- DON'T use 'weak' passwords - names, real words, common passwords, all lower case, etc.
- DO include a mix of upper and lower case, and at least one symbol or number.
- DO make it long. Length in particular increases the required cracking time exponentially, so the longer the better - aim for eight letters as a minimum.
- DON'T use the same password over different important sites or e-mail accounts.
- NEVER use a banking password anywhere else!
~Jes Never underestimate the power of the techno-geek...0 -
The overreaction is a response to your intimidating posts if I'm honest. If you leave people be with their concerns as they find it, it wouldn't be so dramatic. If the team is willing to take it seriously what's your issue about people posting their concerns as they find it?
but the issue is the post man knows your address. He carries your important documents. - He's more of a risk to you than a email address. Yet 99% will still trust their post man.
MSE only have an email for you. They don't need your address etc. So what if someone hacked it and got your email. It doesn't hurt you unless you click the link.
whilst i agree not everyone knows about links in emails. common sense should still set alarm bells off.
My responses are purely because the MSE team and Martin are getting verbally repremanded by people who have no clue. How's that fair? Martin set this place up and allows us to share his knowledge for FREE, and i can only assume we all come back daily because either we've got an issue and need assistance or we like the general banter.
Posters have demanded an explanation - What for ?
The governement are full of to$$ers but can i get a response why they are demolishing this country? - no i can't
The point being is MSE protect us the best they can. If they get hacked it's part and parcel of the internet. you can't stop it and you'll never eradicate it from the web.
Why don't people just use this experience as a lesson and in future dont use your main email or work email and have a seperate one like myself for things like this. It's not rocket science it's common sense.If Adam and Eve were created first
.Does that mean we are all inbred0 -
I think you should circulate this warning to all those who receive email updates - I am an occasional visitor to the forum so wouldn't have seen this warning & discussion if I hadn't been suspicious about the spam email and decided to check up. I suspect there are many more out there like me who may have registered to post on a specific subject some time ago and thus become vulnerable to this attack.MSE_Webmaster wrote: »Hi folks,
Thanks for bringing this to our attention, we're looking into it as a matter of urgency.
DO NOT CLICK ON ANY LINKS IN THAT E-MAIL!!! It is likely to link to a trojan or other types of malware.
Please note that we would never voluntarily allow anyone access to your personal information so we're investigating the security side of things.
Webby0 -
I've been registered here for 7 years, I didn't receive an email.
I feel left out *stamps foot and flounces off*
Bulletproof0 -
I've not received an email at all, but have just received the PM pointing me to this thread.Creeping back in for accountability after falling off the wagon in 2016.Need to get back to old style in modern ways, watching the pennies and getting stuff done!0
-
-
They don't work with salted hashes.The_Gerbil wrote: »Yes but then you haven't mentioned "rainbow tables"0 -
I got it; I deleted it; I never click links on e-mails I'm not expecting or forwarded jokes/pictures/video clips. Go find it through Google or whoever to check it first.
Then, Flagfox add-on for Firefox is a quick check that the website is genuine before you part with any info...0 -
I don't think most people here are worried about spam going to their e-mail address. I'm sure most people already receive tons of spam - that's what filters are for. What people are worried about is the hackers obtaining a combination of their username, e-mail address and password (albeit in a hashed form, with posters here not quite in agreement about how easy it would be to obtain the actual passwords). Some people may have used these to sign up for other sites. At best, that means the hackers could impersonate them. More seriously, other sites may contain personal information. In the worst case, people may have used similar login details for banking or other important sites. Now, I'd agree that many of those cases of shared passwords would be unwise, but the fact is people may be in that situation, which is why they are worried.but the issue is the post man knows your address. He carries your important documents. - He's more of a risk to you than a email address. Yet 99% will still trust their post man.
(...)
Why don't people just use this experience as a lesson and in future dont use your main email or work email and have a seperate one like myself for things like this. It's not rocket science it's common sense.0 -
Hi folks,
Just to let you know that we have sent a PM to all forum members about this, starting at about 2.40pm today - so you can open it, it isn't more spam!
danFormer MSE team member0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.2K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.7K Spending & Discounts
- 244.2K Work, Benefits & Business
- 599.2K Mortgages, Homes & Bills
- 177K Life & Family
- 257.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards