Englishforum security breach?

[Urs Max]

	Quote:	Editor Bob
	The following security notice is being distributed. It will be emailed to all users shortly, and is additionally available here: englishforum.ch/security

People won't notice that unless they actually look, all too many use a dummy email-account for this stuff. Still, you need to assume they use that password elsewhere, and where the contents are important.

Send the notice as PM to each and every user, those who didn't opt out will receive a popup when they log in next time.

[aSwissInTheUS]

	Quote:	me.anon
	If I understand correctly, an 8 character password is, with 2 character salt, effectively 10 characters. According to this (dated 2017) a single 10 character password of sufficiently complexity) could keep a super computer buy for up to 3 years: https://thycotic.force.com/support/s...ord-Complexity

No, salt does not any real complexity to a single password. If you have the encrypted password database you also have the salt which goes with each password. An 8 character password is still a 8 character password even with 128 characters of salt.

The difference between a salted and non-salted password table is, that you can crack the un-salted table in a single pass whereas when there is salt added you must crack each and every users password individually.

The problem is that what the your linked article describes as supercomputer/bot net is in fact for the MD5-algorithm used by englishforum database a machine which costs around USD 8000. https://www.bitcoinmined.net/gpu-miner

There is plenty of hardware like that, even much more powerful, in China and other parts in the world which was acquired to mine crypto currencies such as Etherum, Litecoin, Monero etc. (Not hardware used for Bitcoin, as this are too much spcialized) Example of one site: https://lifestylegalaxyevents.com/mi...ne-visit-2017/
Unfortunately this hardware does no longer generate the profit with crypto currency mining as it was in the past. So why not use the existing hardware to crack password databases and make profit from it?

A dictionary based attack over the whole database costs nearly nothing and is done in a few minutes. A dictionary means a databases which contains password known from previous security breaches. One particular database is known to contain 517 million different passwords which have been used on various internet sites. You can check if your password is in this particular dictionary here https://haveibeenpwned.com/Passwords Note: if you enter your password there it is best to change it afterwards regardless if it was found or not. Only enter your password at the website or program where it is intended to be used.

Note: Cracking the password database is only one possibility how the passwords were compromised. The attackers might have simply injected code either directly on the server or through an advertiser channel which is used on EF. It is known https://www.englishforum.ch/forum-su...y-browser.html that EFuses advertising methods which change content on the fly and it is also known https://www.20min.ch/digital/news/st...offen-20129497 that advertiser channels have been compromised in the past.

[Phil_MCR]

	Quote:	ChrisNeedsToKnow
	In the email I received, it showed an old password; not the one I currently use(d) (changed it again now, just to make sure).

when did you change from the old password? that at least helps to put a timeline on the compromise.

[slammer]

All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I can´t remember the stupid password out of mind and I can´t remember where I put the note where I wrote them down or I don´t have it with me when I need it.
So generally I use one password or a variation of it and even then I can´t remember which variant I used.

	Quote:	slammer
	All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I can´t remember the stupid password out of mind and I can´t remember where I put the note where I wrote them down or I don´t have it with me when I need it. So generally I use one password or a variation of it and even then I can´t remember which variant I used.

There are apps that can do this for you, I use 1password one local complicated password which will generate and manage all your diff passwords.

[JagWaugh]

	Quote:	slammer
	All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I can´t remember the stupid password out of mind and I can´t remember where I put the note where I wrote them down or I don´t have it with me when I need it. So generally I use one password or a variation of it and even then I can´t remember which variant I used.

It's a real problem for many users.

One solution is to use a password manager and set a long, random password for all the websites you frequent. Then you only need to remember the password to unlock your password manager, and also the password for your email account so that if (when) you forget the password for your password manager or otherwise mess it up you can at least use the email based reset password function on the websites you use.

The other low tech solution, if you insist on using one password for all your website logins (like EF, FB) is to make it long, and to deliberately misspell multiple easily remembered words.

"hamberders_unt_Harrlies", for example (ok, "hamberders" is probably in most dictionary attack lists by now, but you get the idea).

Length works well against brute force, and misspelling is reasonably effective against dictionary attacks.

[curley]

Now that was fun. I had changed my password on EF, which I was so happy with since 2006, don't even know why really as I was not worried......
and forgot the new password

So I got
<<Wrong username or password. You have used up your failed login quota! Please wait 15 minutes before trying again>> from EF PLUS a pm:

<<Dear curley,

Someone has tried to log into your account on English Forum Switzerland with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 7 ..... yeah, okay, never mind, there was an IP there

All the best,
English Forum Switzerland

I'm probably now registered for life as the wanna-be-thief of my own EF-account.

[krlock3]

Next step: Curley sends herself an email demanding EUR 800 otherwise threatens to publicise her search history.

[Ouchboy]

shit's getting real...


got this on my email

[Village Idiot]

	Quote:
	Furthermore, all dormant accounts, those which have not logged in since 01.01.17, will be permanently deleted. The posts from deleted accounts will remain published but labelled as authored by "Guest".

Does this mean that 'Guest' will replace their username, or that 'Guest' will replace their forum status? Eg, would I become:

Guest
Forum Legend

or

Village Idiot
Guest

If it's the former, that seems like a real shame as we'll lose out on the many amazing personalities that have helped form the board over the years, who are no longer posting for whatever reason.

[me.anon]

	Quote:	aSwissInTheUS
	No, salt does not any real complexity to a single password. If you have the encrypted password database you also have the salt which goes with each password. An 8 character password is still a 8 character password even with 128 characters of salt. . . .

Ah yes. I've just refreshed my memory. The salt is stored with the password and indeed it does not make the decryption of an individual password from the file any more complex, it does make the construction of a universal reverse lookup table less feasible, however. Thanks.

[Medea Fleecestealer]

Good luck with upgrading vBulletin. Another of my forums which uses v3.8.4 tried it a few years ago and it caused so much chaos they had to roll back to v3.8.4 again.

I admit I'm one of those people who uses the same password everywhere, but if I went to individual ones, no way would I be using a cloud storage app or similar for it. Good, old fashioned pen and paper will do the trick for me.

[Phil_MCR]

	Quote:	slammer
	All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I can´t remember the stupid password out of mind and I can´t remember where I put the note where I wrote them down or I don´t have it with me when I need it. So generally I use one password or a variation of it and even then I can´t remember which variant I used.

just write them on post-its and stick it next to the screen.

	Quote:	Medea Fleecestealer
	Good luck with upgrading vBulletin. Another of my forums which uses v3.8.4 tried it a few years ago and it caused so much chaos they had to roll back to v3.8.4 again.

I think I can see where they were going wrong...

	Quote:	Phil_MCR
	just write them on post-its and stick it next to the screen.

This is what we do in my office :-)

[NotAllThere]

	Quote:	Phil_MCR
	just write them on post-its and stick it next to the screen.

That's what the secretaries did for the directors' passwords in one place I worked.

[EPMike]

	Quote:	slammer
	All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I can´t remember the stupid password out of mind and I can´t remember where I put the note where I wrote them down or I don´t have it with me when I need it. So generally I use one password or a variation of it and even then I can´t remember which variant I used.

My approach is to have a system where I have a standard strong password (lowercase uppercase, numbers and special chars) and I use a variation of it for every website using the same system.

Something like insert the first character of the website's name as second char in the pwd and last char of the website name as second but last char in the pwd.

Actual source of the exposure possibly .. Maybe nothing wrong with EF after all



https://yro.slashdot.org/story/19/01...mail-addresses

Another article about the same:

https://www.wired.com/story/collecti...unts-passwords

They're calling it "the breach of breaches". Data from 2,000 sites all in one collection.

Reaffirms our suspicion that this was an old leak that is only now being put to misuse.

Doesn't clear EF of responsibility though. We're still working on this.

	Quote:	Editor Bob
	Another article about the same: https://www.wired.com/story/collecti...unts-passwords They're calling it "the breach of breaches". Data from 2,000 sites all in one collection. Reaffirms our suspicion that this was an old leak that is only now being put to misuse. Doesn't clear EF of responsibility though. We're still working on this.

At least it's not (hopefully) a current/ongoing leak :-)