so is AT forum security compromised?

[evident]

http://forums.anandtech.com/showthread.php?t=2144988

somebody hacked into my account last night apparently.

is there a security issue on these forums? i've changed my password since.

 

[esquared]

We're looking into this now.

 

[SpatiallyAware]

As a lowly user, it's IMO a fairly serious accusation that the mods knew someone was able to access our passwords and didn't say anything about it. :'(

 

[Evadman]

As a lowly user, it's IMO a fairly serious accusation that the mods knew someone was able to access our passwords and didn't say anything about it. :'(

Passwords are stored hashed and salted, so unless the DBA put something between the database and application to write the plain text passwords somewhere, it would be almost impossible to retrieve the actual password. There is no reason for a DBA to do that, so I highly doubt that would occur. If a DBA wanted to crack, there are way easier ways to do it.

If there was a crack done, it is probably on cookies or malicious links that pull a cookie down and allow a cracker to recreate the cookie required to auto-login as another user. It isn't a crack on AT, it is a crack on a user, and their browsing habits. AT limits this for mods/admins, as to perform any moderator activity, the password itself is required again. So to ban someone, we need to enter a password. Same for moving a thread, editing a post, etc. Be careful where and how you browse, and you can prevent the vast majority of that type of attack.

Way more likely is that someone guessed a user's password, or ran a dictionary attack on a user. Use a password that isn't in a dictionary, and if possible longer than 14 characters, and you can mitigate this risk as well.

 

[SpatiallyAware]

Passwords are stored hashed and salted, so unless the DBA put something between the database and application to write the plain text passwords somewhere, it would be almost impossible to retrieve the actual password. There is no reason for a DBA to do that, so I highly doubt that would occur. If a DBA wanted to crack, there are way easier ways to do it.

If there was a crack done, it is probably on cookies or malicious links that pull a cookie down and allow a cracker to recreate the cookie required to auto-login as another user. It isn't a crack on AT, it is a crack on a user, and their browsing habits. AT limits this for mods/admins, as to perform any moderator activity, the password itself is required again. So to ban someone, we need to enter a password. Same for moving a thread, editing a post, etc. Be careful where and how you browse, and you can prevent the vast majority of that type of attack.

Way more likely is that someone guessed a user's password, or ran a dictionary attack on a user. Use a password that isn't in a dictionary, and if possible longer than 14 characters, and you can mitigate this risk as well.

Gotcha; makes perfect sense - thanks for the update! :thumbsup:

 

[Alone]

I would imagine it would be near impossible to run a dictionary attack on a users account here. Would they not be locked out after X attempts?

 

[Evadman]

I would imagine it would be near impossible to run a dictionary attack on a users account here. Would they not be locked out after X attempts?

For a certain amount of minutes, yes. But then you just try another user's account. There's 200k+ users, so in a round robin type dictionary attack, it would be possible to not pass the 15 minute increment.

Plus, if you have done any password mitigation, you would know there are certain passwords that are used over and over. In fact, a huge portion of passwords follow an extremely predictable pattern.

Here's something crazy that I noticed in 2 different systems I ran an annalists on. 3% of passwords in both systems were exactly the same. I'm not going to tell you what it is (you can look online yourself) but if that holds true here, I would be able to access about 6,000 accounts here on AT with it. I have seen some other analysis online that has also come up with the same exact characters in roughly the same occurrence frequency.

You don't have to be a hacker, you just have to think like a user thinks. 159357 is not a secure password. Neither is asdf or 1q2w3e4r or qwerty or wasd. Same with omgwtfbbq. I bet that 20% of users here (or any bbs) have the same 25 or less passwords. Almost 10% will have the same 5 passwords.

The easiest thing to hack is a person. Always will be.

 

[Alone]

For a certain amount of minutes, yes. But then you just try another user's account. There's 200k+ users, so in a round robin type dictionary attack, it would be possible to not pass the 15 minute increment.

I understand your point for the most part, but I think to cycle proxies and targets repeating the same dictionary list against the accounts would be a bit wasteful if only to log on and say hi. As for common passwords, well, that's fair enough.

 

[Evadman]

I understand your point for the most part, but I think to cycle proxies and targets repeating the same dictionary list against the accounts would be a bit wasteful if only to log on and say hi.

For you and me, yes. For someone who has a grudge? Or someone who want's to make a point? or hell, just to troll (we have lots of those)? I think there are lots of folks who may try. It would probably only take 20 minutes to write a program to do it, and then you let it run for a week to see if anything happens. 500 passwords would take slightly over 1 day. Use more than 1 machine, and time required will drop exponentially.

Why would Evident be the one who was 'hacked'? Seems pretty random, unless Evident pissed off the wrong person. If someone was just trying to make a point, it wouldn't matter who's account it was, any account (or multiple) would be fine. If a cracker wanted to do damage, they would likely focus on mods & admins only.

 

[FoBoT]

dictionary attacks are comparing hashes to rainbow tables, it doesn't mean trying to actually log onto the web site with every word in the dictionary. you steal the hashes then compare them to a 'dictionary' of hashes (rainbow tables) for common passwords

 

[Evadman]

dictionary attacks are comparing hashes to rainbow tables, it doesn't mean trying to actually log onto the web site with every word in the dictionary. you steal the hashes then compare them to a 'dictionary' of hashes (rainbow tables) for common passwords

Actually, A dictionary attack is exactly that, it is using a bunch of set character strings and trying to log into the application. Any good application will not allow access to a hash if at all possible. To be clear though, a dictionary attack doesn't necessarily use words in the dictionary (though a bunch are) but they are commonly used passwords. For example, here are the top 500. Hint: If your password is on this list, change it

This is a subset of a brute-force attack, where the cracker starts at something like '000000000001', then '000000000002' and so on, until all options are exaused. A dictionary attack will work faster when a user uses a password in the dictionary.

A rainbow table is a table, and is used to turn a hash back into a plain text password. (in actuality, it may not be the actual password due to collisions, but it will still work). How they work is pretty complicated, but it isn't as simple as a table with 2 columns, 1 for password and 1 for the hash. That table would be too big, there is a reduction algraythm that must be worked though many times to get to the plain text password from a hash. This is sometimes called a pre-computed dictionary attack. It requires access to the hash, and the algorithm used to create the hash. these are not always available. (They should NEVER be available if an application is created correctly)

On AT, a rainbow table will be of no use, since every user's password is salted individually. Making a rainbow table would take a very long time (decades), while a dictionary attack with the top 500 passwords would take 500/5*15/60 = 25 hours.

 

[Alone]

dictionary attacks are comparing hashes to rainbow tables, it doesn't mean trying to actually log onto the web site with every word in the dictionary. you steal the hashes then compare them to a 'dictionary' of hashes (rainbow tables) for common passwords

What you just described is a rainbow table (prehashed passwords to check against, useful for WAP decryption). A dictionary attack is like Evadman described, a bunch of words (simple characters, a-z|A-Z|0-9|+-)(*&^%$#@!|etc (and a combination of all)).

Rainbow tables can, of course, be downloaded, but they're most useful once you've grabbed the encryption and try to match it offline, user side (there are rainbow tables available online, the biggest one I know so far is 33GB large).

 

[Evadman]

there are rainbow tables available online, the biggest one I know so far is 33GB large

33 GB is relatively small for a rainbow table. One that I used to mess around with was about 560 GB. I've seen md5 rainbow tables in the wild for almost everything that can be typed on a keyboard to 7 chars (which would be about 140 GB), or 10 lowercase letters (about 300 GB).

I love cryptology and number theory. It also comes in handy when idiots can't remember their password :awe:

 

[Alone]

33 GB is relatively small for a rainbow table.

I meant only that the largest one I've seen online was 33GB. I've made my own that were just shy of 150GB (which, aside from the time and power required, is much preferable to do than download a huge file).

 

[Evadman]

I meant only that the largest one I've seen online was 33GB. I've made my own that were just shy of 150GB (which, aside from the time and power required, is much preferable to do than download a huge file).

Nice. I've never created one over about 1 GB. It just takes forever to make. Kudos for making such a large one; what hash method was it for? ntlm, md5, sha1?

 

[Alone]

I had a fairly smaller table for LM hashes a while back, that was about 64GB if memory serves. I had about three computers running at it and it took several months non-stop.

The big one took a long time; it was sha1 and I had about 8 computers running that one (three were mine, the rest belonged to equally devoted friends). That was around 2004-2005 or so, right when SHA1 was identified to be weak so it was a big old waste of time (not entirely, it was still fun to do).

I wish I had kept backups of those, even though they're relatively worthless. Mostly for nostalgia sake.

In hindsight, it probably would have just been easier to just BUY hard copies of the tables, as there are some up in the terabytes. But I was a stupid kid so w/e.