Forum Redesign Announcement

rizla_king

The passwords are not stored in the database. Just a double md5 salted hash of your password that it can be verified against when you log in.

Monkeyballs

rizla_king wrote: »

The passwords are not stored in the database. Just a double md5 salted hash of your password that it can be verified against when you log in.

Errr... Yes, that is precisely what I meant... Ahem... Obviously!

MB

StumpyPumpy

rizla_king wrote: »

The passwords are not stored in the database. Just a double md5 salted hash of your password that it can be verified against when you log in.

I hope not. MD5 was cracked a over ten years ago and double hashing with MD5 actually makes it less secure as fewer unique hashes are generated leading to even more susceptibility to collision attacks: the hack of choice for MD5 +salt. Google is full of script kiddie kits to do this, so no actual real knowledge needed, just a reasonably modern computer.

Then again, as long as you don't share your password on this site with other sites, I can't see that it matters too much if your account is hacked. It isn't as if there is any confidential info held or any financial details. Only impact would be the minor inconvenience of someone being able to impersonate you for a while on MSE. Not great, but hardly a disaster. That is unless MSE Towers need to do this before they merge MSE's user database with Money Supermarket's...

SP

JimmyTheWig

MSE_Ian wrote: »

HI all,

This may seem obvious, but please.

If you received a private message from MoneySavingExpert telling you that you need to change your password please do not announce this in the forums.

Please follow the instructions in the private message and change your password. Thank you.

Ian

I would have thought that coming to the forum is exactly the obvious thing _to_ do if you receive a suspicious looking message.

rizla_king

StumpyPumpy wrote: »

I hope not.

Fraid so. If the forum database is hacked to get the hashs to attack against, the forum would likely be ****ed anyway. Real danger is people using stupidly obvious or simple passwords, which is what I hope the recent emails were testing for.

Monkeyballs

JimmyTheWig wrote: »

I would have thought that coming to the forum is exactly the obvious thing _to_ do if you receive a suspicious looking message.

Not after it's been confirmed that the emails are genuine... Then again, there seemed to be several threads started so maybe people missed the ones with the relevant info>

rizla_king wrote: »

Fraid so. If the forum database is hacked to get the hashs to attack against, the forum would likely be ****ed anyway. Real danger is people using stupidly obvious or simple passwords, which is what I hope the recent emails were testing for.

I've changed it now to something completely different anyway but my password was MA2cu51976! which I would have thought would have been fairly secure but I got the email

MB

Old_Wrinkly

Monkeyballs wrote: »

Not after it's been confirmed that the emails are genuine... Then again, there seemed to be several threads started so maybe people missed the ones with the relevant info

These sorts of threads are often started on various separate boards (the ones that the OPs frequent most) and are then moved here by the Board Guides (or sometimes MSE).
Most users probably never stray onto the Site Feedback board.

meher

when you re-design it perhaps you could use the opportunity to actually change some board guiding dynamics, for instance, remove some privileges that make boardguides assume some unbridled powers

Sometimes it is difficult to change some illiberal conventions that make the boards barren at best and hostile at worst. The best time to bring about the change that is needed is to use something else as the platofrm, for instance, forum design, technical reasons etc - that way no sensibilities are offended either. You'd soon see several boards becoming lush and exciting and truthfully to survive competition, it has to change, imo.

also, imo, it would be an idea to design it in such a way that a bg would need to send in a report get permission to lock or delete threads, they would be given temperory access and they can work on it - even better, it is removed altogether and they report like the rest of us mere mortals

my suggestion is earnest and i mean every word btw and i believe i'm on the right path on this one

JimmyTheWig

Monkeyballs wrote: »

Not after it's been confirmed that the emails are genuine... Then again, there seemed to be several threads started so maybe people missed the ones with the relevant info>

Call me paranoid, but there's still a tiny bit of me that thinks it is a hoax. What if, for example, the MSE team member who is posting here to say that it is legit has been hacked?
Unlikely, I know, but possible.

We have...
1. Messages being sent out with a dodgy timestamp on them.
2. Messages being sent out about passwords with a link to a seemingly unrelated thread.
3. Messages being sent out with a link to change your password (while it is best practice to never click a "change password" link in a message or email).
4. Messages being sent out on the basis of password strength, which seems unlikely that they would know.
5. Further to this, the messages have been sent to some users with strong passwords and not to other users with weak passwords.
6. Users being asked not to discuss the messages on the forum.

poet123

At best it should not have been sent out in the format it was with a link, at worst it is possible the above poster is correct.