2014-05-14, 14:49 | Link #262 | ||
He Without a Title
Join Date: Feb 2008
Location: The land of tempura
|
Quote:
Quote:
So... for passwords of 8 chars or less it takes about 16 days to crack them when hashed with MD5. Of course that salt and length multiplies that time but even 16*16 (to figure out a similar length salt) would still end up at less than a year... Using a SINGLE 8 year old graphics card... Yeah, how do you think things look today?
__________________
|
||
2014-05-14, 14:55 | Link #263 |
Haibanologist
Join Date: Feb 2007
|
President Skroob: Did it work? Where's the king?
Dark Helmet: It worked, sir. We have the combination. President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination? Colonel Sandurz: 1-2-3-4-5 President Skroob: 1-2-3-4-5? Colonel Sandurz: Yes! President Skroob: That's amazing. I've got the same combination on my luggage. Dark Helmet, Colonel Sandurz: [looks at each other]
__________________
|
2014-05-14, 16:45 | Link #265 |
CROSS IN!!
|
Now, this is scary!
When I saw the forums go down and see that it got hacked, the first thing that popped in my head was "Holy ****! This is terrible!" At least, I'm glad that "the powers that be" behind AnimeSuki has brought some normalcy back to the forums. I also had to change several passwords after learning the news. Hopefully, that'll keep me protected. |
2014-05-14, 17:27 | Link #266 | |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Quote:
This means depending on what hardware is used, it would take a long time (weeks/months/years) for the attackers to crack everybody's password (that is, if everybody used completely random/unguessable passwords, which I doubt is the case), but it would still be possible to crack the passwords of specific users within hours. As we don't know who they'll focus on or the hardware used, it doesn't change much in regard on whether your old password is safe or not - it isn't, sadly. |
|
2014-05-14, 17:44 | Link #267 | |
He Without a Title
Join Date: Feb 2008
Location: The land of tempura
|
Quote:
Luckily salt kills rainbow tables and dictionary attacks so there's that. MD5 is still extremely weak though. It's a shame that it isn't particularly easy to switch to something like SHA256 which is safer (or even scrypt which should be good for quite a while).
__________________
|
|
2014-05-14, 19:11 | Link #269 | |
Senior Member
Join Date: Feb 2009
|
Quote:
|
|
2014-05-14, 22:22 | Link #272 | |
(ノಠ益ಠ)ノ彡┻━┻
Moderator
Join Date: Mar 2006
|
Quote:
Never assume a site is safe. Ever. Safety is an illusion. All that can be done is to take precautions, learn from mistakes, and mitigate/repair the damage. We do sincerely apologize for what happened, but keep in mind that it wasn't just you guys that got affected to, the staff did as well. Do you think we liked having to change our passwords, scan our computers for hours, and check every account we have for security breaches? We're taking this as seriously as everyone else is, and should be. We're not happy either, but we're doing what we can. That looks like an intrusive ad. It happens to some users. Report it to Nightwish or GHD and they'll look into it. Do you use Adblock?
__________________
|
|
2014-05-14, 22:28 | Link #273 | |
Seiso Academy Student
Graphic Designer
|
Quote:
I guess if you have this problem you better uninstall and reinstall again I used Iobit uninstaller to remove the mozilla registry files too i hope that helps
__________________
|
|
2014-05-14, 22:52 | Link #275 | |
Senior Member
Author
Join Date: Oct 2007
Location: Philippines
Age: 47
|
Quote:
Also, I never keep full details of almost everything online (most of my documents are in a box just beneath the monitor), and one email account (among three) uses a false name.
__________________
|
|
2014-05-15, 00:07 | Link #276 |
Operation sneaky sneaks
IT Support
Join Date: Aug 2012
Location: Hic et ubique
|
The best security is personal vigilance. Common sense and a little bit of technical knowledge bests the world's best security: one could have the most secure anti-burglar system in the world, and it would fail because they forgot to turn it on.
__________________
|
2014-05-15, 00:14 | Link #277 | |
Senior Member
Join Date: Feb 2009
|
Quote:
The long answer is that what got hacked was a disused moderator account. The hacker used the access that granted him to post malicious scripts, and gain greater access to the site. They disabled the account, removed the elevated privileges from inactive accounts, wiped all forum software that the hacker may have had access to, and restored from a back up prior to the hacker showing up. They then invalidated all existing passwords, forcing everyone to change their password. Meaning that all possibly malicious software has been wiped, and the hacker no longer has access to any accounts. The discussion of MD5 and password cracking is because one of the things the hacker did before he was discovered was download the password database the forum uses when people log in. MD5 is the encryption algorithm that the forum uses to store passwords. It takes passwords, and converts them into a long hexadecimal number, and optionally (as this forums uses) before it does that, it adds random data called a salt onto the password before encrypting it. Once finished, it stores the hexadecimal number which is called a hash. When you log in, it runs the password you supply through the same process, and compares the result to the result it has stored. The problem is that MD5 is 23 years old. It was developed at a time when speed was a desirable attribute in your encryption because process power was limited. Modern smart phones dwarf the computing power of computers of that time, and modern gaming computers dwarf the power of the super computers of that time. What used to take weeks or months can be done in seconds. Some people don't seem to realize this change, and are downplaying how quickly passwords in the database are likely to be broken, implying that the stolen passwords are still secure when they should not be considered secure. Hence the discussion of MD5's weaknesses in an attempt to make it clear that it's reasonable to assume the passwords are compromised. The forum still uses MD5, because there's no quick upgrade to something better. This forum uses off the shelf software that's been customized. It can not be upgraded to the latest version without breaking the customization. Nor does the latest version offer something better than MD5 anyways. Nor does most of the competition's software. Alternatives that do offer something better either do not offer the same functionality, or would require the forum to start from scratch. Meaning that ultimately the owners of this forum will have to take quite some time to consider their options, and the best option might end up simply being to take better steps to prevent the forum from being hacked in the first place, rather than to take better steps to prevent relatively weak passwords from being quickly cracked after the forum is already compromise the the passwords taken. |
|
2014-05-15, 01:58 | Link #278 | |
Senior Member
Join Date: Apr 2001
Location: Athens, Greece
Age: 41
|
Quote:
MD5 is just an encryption algorithm for the stored passwords and it's used by almost every single forum software out there and the only person able to change that is the company developing the forum software.
__________________
|
|
|
|