-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
Sha256
Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
I don't blame them for not knowing it occurred at the time. But the data was unequivocally shown to be public yesterday, and the response since then has been wholly inadequate. They covered it up for almost 24 hours and then posted a forum announcement that was frankly deceptive. They claimed password encryption, which is false by anyone's definition. They claimed that because of the "encryption" no passwords were revealed. They presumably base this on the fact that only the hashes exist in the database, but they knew yesterday that a high percentage of those md5 hashes have already been cracked. I say "high percentage" because of the fact that a large percentage of the mod accounts were proven to be cracked, and since the attackers had no practical way to target specifically mod accounts that can be taken as an approximation of how many of the accounts were cracked.
I'll say it again: your AT email address and password HAVE BEEN CRACKED, so change your password here, and anywhere else that you used that email and password combination.
Beer4Me
Senior member
Thanks Markbnj!
core2slow
Senior member
Red Squirrel
No Lifer
Guessing it uses MD5 + a salt, but never really played with vB.
Personally anything I code that's web based that uses a login that's usually what I do, there is absolutely zero reason to store plain text passwords. Though I have not coded anything in a while. Now days I'd probably use SHA256 whatever is considered the best after some research. MD5 is still better than nothing though, as it will buy you/your users time to change passwords that have been reused on other sites. Ex: forum gets hacked, you advise your users to immediately change their passwords if they use it on other sites. If you/they act fast enough the hacker may not have finished doing a dictionary/rainbow table etc attack yet.
Personally anything I code that's web based that uses a login that's usually what I do, there is absolutely zero reason to store plain text passwords. Though I have not coded anything in a while. Now days I'd probably use SHA256 whatever is considered the best after some research. MD5 is still better than nothing though, as it will buy you/your users time to change passwords that have been reused on other sites. Ex: forum gets hacked, you advise your users to immediately change their passwords if they use it on other sites. If you/they act fast enough the hacker may not have finished doing a dictionary/rainbow table etc attack yet.
Red Squirrel
No Lifer
Never use MD5. I thought of a single edge case where MD5 is the best encryption you could use, but it would be the kind of edge case you would want a large team of security experts to consider, as it would require the plain-text password somewhere. Or, it could be useful for honeypotting.
You want to use SHA-512, unless 1028 is out yet (been a few years, don't know if its usable yet). I just checked wikipedia and it looks like the SHA-3 methods have been standardized, so 1028 would be the way to go presumably now
That's still a fast hash. Pbkdf2 or bcrypt for the win.
You are the second person now that I have seen with that.
No other signs of fuckery, just the changed email.
Viper GTS
brianmanahan
Lifer
yeah definitely bcrypt
With iterative hashing, speed doesn't make a difference (iirc PBKDF2 is just iterative hashing/key stretching using an underlying method like SHA-512?). IIRC back when I was researching it several years ago, SHA-512 HMAC was always the best solution for ultimate control and security, if you didn't mind rolling your own iterative hashing / key stretching (both not too difficult to do) -- might have been something related to the output length
Ichinisan
Lifer
Gawker was pretty big too. That whole database was immediately released on public torrents. Googling my username would show my plaintext password in the Google search results before I even click anything.
Yeah but that's the point. You don't want to write your own key stretching algorithm, or really reinvent the wheel anywhere else in this area. So pbkdf2 or bcrypt.
Sure you do (well, maybe you don't, but you could is my point). It actually is very easy once you understand it (and it doesn't take a lot to understand once you start looking into it, really, it doesn't). Like, just running a function in a loop kind of easy.
That being said, I'll note that I don't suggest someone tries to create their own hashing algorithms (ie: I'm not suggesting to do something like make Markbnj-512 to replace SHA-512). Doing so would be ultra-advanced specialty territory. Just that the additional standards are thing you could implement yourself if you wanted without much difficulty.
It just really depends on the level of customization you want, honestly. Are the existing functions like PBKDF2 sufficient to cover things that you would otherwise have to roll-your-own on? Sure. Is that as much fun or give you as much customization or security that you want? Not to me 😀
Last edited:
Mmm, I think security is a different animal. I'm not afraid to create my own implementations, but I wouldn't in this area unless, as you suggest, there were some requirement that couldn't be fulfilled any other way. I feel that situation is highly unlikely to arise, though.
rh71
No Lifer
why don't we have this yet g'damnit?!!!!
Ns1
No Lifer
O_O
Red Squirrel
No Lifer
I wrote my own hashing algorithm a while back just for fun of it. I would not trust it for security mind you and it's not even meant for that but it was fun to do. Basically I have this small app that is used to just go through source/header files and it just puts a generic header block with lines of code, last modified date etc... and I just needed a way to detect if a file changed so I'm not repeating that process for nothing on each file, so the hashing algorithm is used for that. I wanted the app to be portable in a single .cpp file that will compile on any system without the need of dependencies, and the hashing algorithm is just a single function. It will of course work with any length of data, whether it's a single character or a super long file. For my purposes I actually needed it to be fast, so it does not do anything fancy. It's mostly a combination of adding, subtracting and multiplying. What is at one end of the data stream can affect how another end of it is handled, so changing a single character anywhere ends up with a competently different hash value.
You shouldn't use the same password anywhere else anyways. Especially not with this forum (or many other forums) because they don't even implement TLS.
tl;dr --> you should not expect any privacy, and if I was on the same network as you I could probably grab your password in plain text with trivial effort as you log in.
tl;dr --> you should not expect any privacy, and if I was on the same network as you I could probably grab your password in plain text with trivial effort as you log in.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
