Sha256

[Hacp]

Does AT store our actual passwords or do they store the salted SHA256 value?

 

[Ruptga]

paging loke

 

[Markbnj]

The common practice (i.e. accepted industry standard/best practice) is to store the hash and salt, send the submitted credential to the back end over TLS, hash it there and compare the values.

 

[Platypus]

vbulletin uses md5 the last I looked, laff, but who knows in our unsupported ALPHA version of the software 😉

more alarming is that a technology forum still refuses to implement any form of TLS transport security. jokes^jokes

 

[Markbnj]

vbulletin uses md5 the last I looked, laff, but who knows in our unsupported ALPHA version of the software 😉

more alarming is that a technology forum still refuses to implement any form of TLS transport security. jokes^jokes

Yep, according to this February post it is MD5 with a weak salt.

https://www.troyhunt.com/data-breaches-vbulletin-and-weak/

 

[Beer4Me]

The AT forums had a password breach in March 2016 according to leakedsource.com.

 

[FerrelGeek]

Not worried. I use a password on here that I only use for discussion forums. I have a much more secure one for real stuff.

 

[Hacp]

Yep, according to this February post it is MD5 with a weak salt.

https://www.troyhunt.com/data-breaches-vbulletin-and-weak/

Are they relying on a collision attack in addition to dictionary? Collision doesn't really mean your password has been compromised, just your account.

(link is blocked for me)

 

[Jeff7]

The articles I've read on it make it sound like any password a human can reasonably memorize is going to have patterns that a computer can recognize and use in order to generate a password library. (Or that a human can type in a reasonable amount of time. Sure, a 512-character password might - might - be secure, but it's slightly inconvenient.)

Wouldn't the only real solution to that problem be to always use a strong, salted hash?

 

[Elixer]

Wouldn't the only real solution to that problem be to always use a strong, salted hash?

Naw, they need to go to public/private keys, kinda like PGP.
That would pretty much eliminate password guessing, and instead would require the key (& the passphrase).

 

[brianmanahan]

The AT forums had a password breach in March 2016 according to leakedsource.com.

holy crap, really?

was this never mentioned on the forum? i never saw it!

 

[Ns1]

can't we just have RSA keys for everything?

 

[TwiceOver]

The AT forums had a password breach in March 2016 according to leakedsource.com.

Maybe this is why I got an email from Amazon today asking me to change my password because they found my email address in a list of password/emails.

 

[Schmide]

I'd like to clarify now that every stupid thing I said here was hackers.

 

[Ns1]

I would also like to apologize for all the errant dick pics and bull penis topics. Because hackers.

 

[Platypus]

I would also like to apologize for all the errant dick pics.

Share with the class...

 

[Jodell88]

The AT forums had a password breach in March 2016 according to leakedsource.com.

I searched for my email address and anandtech.com is the only instance that came up. :|:hmm:

 

[slugg]

Your passwords are stored in a shared text file on DropBox. That's how you can access the forums from many internets.

 

[brianmanahan]

Your passwords are stored in a shared text file on DropBox. That's how you can access the forums from many internets.

oh cool, it's single sign on for the whole interweb

 

[Hoober]

holy crap, really?

was this never mentioned on the forum? i never saw it!

There was a thread on this briefly yesterday morning in OT.

 

[Markbnj]

There was a thread on this briefly yesterday morning in OT.

Yeah that was my post, which included a screen cap of my own password in clear text. The new forum owners pulled it until they could "figure out what happened."

Now this morning I see a forum announcement claiming that "Our passwords in the database are encrypted and we currently do not have any reason to believe the incident resulted in those being revealed." It then goes on to suggest users change their password. Nothing like a big plate of corporate double speak for breakfast.

The passwords in the database are not encrypted. They are hashed with a very weak md5 hash algorithm, and at least some of them were most definitely revealed. Most of the mods received screen caps of their own email addresses and passwords in email yesterday morning from an interested party who was trying to warn everyone. Several mods/former mods, myself included, verified that the hashes and salts were correct for the passwords.

Message of the day: ignore the forum announcement, change your passwords.

 

[Ns1]

Most of the mods received screen caps of their own email addresses and passwords in email yesterday morning from an interested party who was trying to warn everyone. Several mods, myself included, verified that the hashes and salts were correct for the passwords.

Message of the day: ignore the forum announcement, change your passwords.

daaaaaaaaaaaaaaaaaaaaaaaaaaaaaaamn

 

[slugg]

oh cool, it's single sign on for the whole interweb

Right. Exactly. The cloud.

 

[brianmanahan]

Right. Exactly. The cloud.

internet of thingsssss

 

[Ns1]

goddamnit slapped my email into leakedsource.com

https://www.leakedsource.com/

Search completed in: 0.7102 seconds.

Linkedin.com has: 1 result(s) found. This data was hacked on approximately 2012-06-05 00:00:00 What is in this database?
VerticalScope Network (Vbulletin) (939 Websites) has: 1 result(s) found. This data was hacked on approximately 2016-02-01 00:00:00 What is in this database?
Dodonew.com (Chinese) has: 1 result(s) found. This data was hacked on approximately 2012-01-01 00:00:00 What is in this database?
Gawker has: 1 result(s) found. This data was hacked on approximately 2010-12-01 00:00:00 What is in this database?
Anandtech.com has: 1 result(s) found. This data was hacked on approximately 2016-03-15 00:00:00 What is in this database?