Go Back   English Forum Switzerland > Support > Support > Forum support  
Reply
 
Thread Tools Display Modes
  #61  
Old 16.01.2019, 11:24
Forum Legend
 
Join Date: Oct 2014
Location: Steinach SG
Posts: 8,452
Groaned at 410 Times in 309 Posts
Thanked 11,010 Times in 5,795 Posts
Urs Max has a reputation beyond reputeUrs Max has a reputation beyond reputeUrs Max has a reputation beyond reputeUrs Max has a reputation beyond reputeUrs Max has a reputation beyond reputeUrs Max has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
The following security notice is being distributed.

It will be emailed to all users shortly, and is additionally available here: englishforum.ch/security
People won't notice that unless they actually look, all too many use a dummy email-account for this stuff. Still, you need to assume they use that password elsewhere, and where the contents are important.

Send the notice as PM to each and every user, those who didn't opt out will receive a popup when they log in next time.
Reply With Quote
This user groans at Urs Max for this post:
  #62  
Old 16.01.2019, 11:27
aSwissInTheUS's Avatar
Forum Legend
 
Join Date: Nov 2007
Location: Zurich area
Posts: 12,786
Groaned at 99 Times in 88 Posts
Thanked 19,577 Times in 8,681 Posts
aSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond reputeaSwissInTheUS has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
If I understand correctly, an 8 character password is, with 2 character salt, effectively 10 characters. According to this (dated 2017) a single 10 character password of sufficiently complexity) could keep a super computer buy for up to 3 years: https://thycotic.force.com/support/s...ord-Complexity
No, salt does not any real complexity to a single password. If you have the encrypted password database you also have the salt which goes with each password. An 8 character password is still a 8 character password even with 128 characters of salt.

The difference between a salted and non-salted password table is, that you can crack the un-salted table in a single pass whereas when there is salt added you must crack each and every users password individually.

The problem is that what the your linked article describes as supercomputer/bot net is in fact for the MD5-algorithm used by englishforum database a machine which costs around USD 8000. https://www.bitcoinmined.net/gpu-miner

There is plenty of hardware like that, even much more powerful, in China and other parts in the world which was acquired to mine crypto currencies such as Etherum, Litecoin, Monero etc. (Not hardware used for Bitcoin, as this are too much spcialized) Example of one site: https://lifestylegalaxyevents.com/mi...ne-visit-2017/
Unfortunately this hardware does no longer generate the profit with crypto currency mining as it was in the past. So why not use the existing hardware to crack password databases and make profit from it?

A dictionary based attack over the whole database costs nearly nothing and is done in a few minutes. A dictionary means a databases which contains password known from previous security breaches. One particular database is known to contain 517 million different passwords which have been used on various internet sites. You can check if your password is in this particular dictionary here https://haveibeenpwned.com/Passwords Note: if you enter your password there it is best to change it afterwards regardless if it was found or not. Only enter your password at the website or program where it is intended to be used.

Note: Cracking the password database is only one possibility how the passwords were compromised. The attackers might have simply injected code either directly on the server or through an advertiser channel which is used on EF. It is known https://www.englishforum.ch/forum-su...y-browser.html that EFuses advertising methods which change content on the fly and it is also known https://www.20min.ch/digital/news/st...offen-20129497 that advertiser channels have been compromised in the past.
__________________
On Hiatus- Normal operation will resume 22.02.2022 22:02:20.22
Reply With Quote
The following 3 users would like to thank aSwissInTheUS for this useful post:
  #63  
Old 16.01.2019, 11:31
Phil_MCR's Avatar
Forum Legend
 
Join Date: Oct 2009
Location: Basel
Posts: 14,299
Groaned at 276 Times in 182 Posts
Thanked 17,701 Times in 7,473 Posts
Phil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
In the email I received, it showed an old password; not the one I currently use(d) (changed it again now, just to make sure).
when did you change from the old password? that at least helps to put a timeline on the compromise.
Reply With Quote
The following 2 users would like to thank Phil_MCR for this useful post:
  #64  
Old 16.01.2019, 12:13
slammer's Avatar
Forum Legend
 
Join Date: Jul 2009
Location: Lummerland
Posts: 5,281
Groaned at 143 Times in 100 Posts
Thanked 9,123 Times in 3,455 Posts
slammer has a reputation beyond reputeslammer has a reputation beyond reputeslammer has a reputation beyond reputeslammer has a reputation beyond reputeslammer has a reputation beyond reputeslammer has a reputation beyond repute
Re: Englishforum security breach?

All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used.
__________________
Back in Bavaria, godīs own belly button.
Reply With Quote
The following 4 users would like to thank slammer for this useful post:
  #65  
Old 16.01.2019, 12:21
Guest
 
Posts: n/a
Re: Englishforum security breach?

Quote:
View Post
All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used.
There are apps that can do this for you, I use 1password one local complicated password which will generate and manage all your diff passwords.
Reply With Quote
The following 2 users would like to thank for this useful post:
  #66  
Old 16.01.2019, 12:40
JagWaugh's Avatar
RIP
 
Join Date: Apr 2009
Location: Eglisau
Posts: 7,272
Groaned at 47 Times in 46 Posts
Thanked 14,131 Times in 5,506 Posts
JagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used.
It's a real problem for many users.

One solution is to use a password manager and set a long, random password for all the websites you frequent. Then you only need to remember the password to unlock your password manager, and also the password for your email account so that if (when) you forget the password for your password manager or otherwise mess it up you can at least use the email based reset password function on the websites you use.

The other low tech solution, if you insist on using one password for all your website logins (like EF, FB) is to make it long, and to deliberately misspell multiple easily remembered words.

"hamberders_unt_Harrlies", for example (ok, "hamberders" is probably in most dictionary attack lists by now, but you get the idea).

Length works well against brute force, and misspelling is reasonably effective against dictionary attacks.
__________________
If everyone you know agrees with you consistently, they are either not listening, or not capable of critical thought.
Reply With Quote
The following 4 users would like to thank JagWaugh for this useful post:
  #67  
Old 16.01.2019, 13:19
curley's Avatar
Forum Legend
 
Join Date: Oct 2006
Location: canton ZH
Posts: 12,041
Groaned at 198 Times in 164 Posts
Thanked 13,586 Times in 7,075 Posts
curley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond reputecurley has a reputation beyond repute
Re: Englishforum security breach?



Now that was fun. I had changed my password on EF, which I was so happy with since 2006, don't even know why really as I was not worried......
and forgot the new password

So I got
<<Wrong username or password. You have used up your failed login quota! Please wait 15 minutes before trying again>> from EF PLUS a pm:

<<Dear curley,

Someone has tried to log into your account on English Forum Switzerland with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 7 ..... yeah, okay, never mind, there was an IP there

All the best,
English Forum Switzerland

I'm probably now registered for life as the wanna-be-thief of my own EF-account.
__________________
If there is a God, then I believe he’s more insulted by religion than he is by atheism.
Reply With Quote
The following 2 users would like to thank curley for this useful post:
  #68  
Old 16.01.2019, 13:30
krlock3's Avatar
Forum Legend
 
Join Date: Feb 2006
Location: Zürich
Posts: 3,044
Groaned at 46 Times in 33 Posts
Thanked 2,297 Times in 1,103 Posts
krlock3 has a reputation beyond reputekrlock3 has a reputation beyond reputekrlock3 has a reputation beyond reputekrlock3 has a reputation beyond reputekrlock3 has a reputation beyond reputekrlock3 has a reputation beyond repute
Re: Englishforum security breach?

Next step: Curley sends herself an email demanding EUR 800 otherwise threatens to publicise her search history.
Reply With Quote
The following 6 users would like to thank krlock3 for this useful post:
  #69  
Old 16.01.2019, 13:47
Ouchboy's Avatar
Forum Legend
 
Join Date: Jun 2008
Location: Baden
Posts: 3,285
Groaned at 46 Times in 41 Posts
Thanked 5,478 Times in 2,103 Posts
Ouchboy has a reputation beyond reputeOuchboy has a reputation beyond reputeOuchboy has a reputation beyond reputeOuchboy has a reputation beyond reputeOuchboy has a reputation beyond reputeOuchboy has a reputation beyond repute
Re: Englishforum security breach?

shit's getting real...


got this on my email


Reply With Quote
The following 5 users would like to thank Ouchboy for this useful post:
  #70  
Old 16.01.2019, 13:55
Village Idiot's Avatar
Forum Legend
 
Join Date: Jul 2009
Location: Basel
Posts: 3,645
Groaned at 33 Times in 30 Posts
Thanked 6,859 Times in 2,211 Posts
Village Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond reputeVillage Idiot has a reputation beyond repute
Re: Englishforum security breach?

Quote:
Furthermore, all dormant accounts, those which have not logged in since 01.01.17, will be permanently deleted. The posts from deleted accounts will remain published but labelled as authored by "Guest".
Does this mean that 'Guest' will replace their username, or that 'Guest' will replace their forum status? Eg, would I become:

Guest
Forum Legend

or

Village Idiot
Guest

If it's the former, that seems like a real shame as we'll lose out on the many amazing personalities that have helped form the board over the years, who are no longer posting for whatever reason.
Reply With Quote
The following 5 users would like to thank Village Idiot for this useful post:
  #71  
Old 16.01.2019, 13:56
me.anon's Avatar
Forum Veteran
 
Join Date: Jan 2012
Location: thun
Posts: 2,137
Groaned at 40 Times in 29 Posts
Thanked 2,806 Times in 1,358 Posts
me.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
No, salt does not any real complexity to a single password. If you have the encrypted password database you also have the salt which goes with each password. An 8 character password is still a 8 character password even with 128 characters of salt.
. . .
Ah yes. I've just refreshed my memory. The salt is stored with the password and indeed it does not make the decryption of an individual password from the file any more complex, it does make the construction of a universal reverse lookup table less feasible, however. Thanks.
Reply With Quote
  #72  
Old 16.01.2019, 14:29
Medea Fleecestealer's Avatar
Forum Legend
 
Join Date: Jul 2011
Location: Switzerland
Posts: 21,838
Groaned at 391 Times in 302 Posts
Thanked 16,781 Times in 9,468 Posts
Medea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond repute
Re: Englishforum security breach?

Good luck with upgrading vBulletin. Another of my forums which uses v3.8.4 tried it a few years ago and it caused so much chaos they had to roll back to v3.8.4 again.

I admit I'm one of those people who uses the same password everywhere, but if I went to individual ones, no way would I be using a cloud storage app or similar for it. Good, old fashioned pen and paper will do the trick for me.
Reply With Quote
  #73  
Old 16.01.2019, 16:45
Phil_MCR's Avatar
Forum Legend
 
Join Date: Oct 2009
Location: Basel
Posts: 14,299
Groaned at 276 Times in 182 Posts
Thanked 17,701 Times in 7,473 Posts
Phil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used.
just write them on post-its and stick it next to the screen.
Reply With Quote
This user would like to thank Phil_MCR for this useful post:
  #74  
Old 16.01.2019, 20:36
Ace1's Avatar
A modal singularity
 
Join Date: Sep 2011
Location: Morgins, VS (and Alsace)
Posts: 9,030
Groaned at 365 Times in 236 Posts
Thanked 15,358 Times in 6,646 Posts
Ace1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond reputeAce1 has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Good luck with upgrading vBulletin. Another of my forums which uses v3.8.4 tried it a few years ago and it caused so much chaos they had to roll back to v3.8.4 again.
I think I can see where they were going wrong...
Reply With Quote
The following 3 users would like to thank Ace1 for this useful post:
  #75  
Old 16.01.2019, 21:52
John_H's Avatar
Forum Legend
 
Join Date: May 2013
Location: Up above Nyon
Posts: 3,917
Groaned at 109 Times in 68 Posts
Thanked 5,209 Times in 2,029 Posts
John_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
just write them on post-its and stick it next to the screen.
This is what we do in my office :-)
Reply With Quote
This user would like to thank John_H for this useful post:
  #76  
Old 17.01.2019, 08:23
NotAllThere's Avatar
Forum Legend
 
Join Date: Oct 2008
Location: Baselland
Posts: 12,973
Groaned at 206 Times in 183 Posts
Thanked 18,807 Times in 7,664 Posts
NotAllThere has a reputation beyond reputeNotAllThere has a reputation beyond reputeNotAllThere has a reputation beyond reputeNotAllThere has a reputation beyond reputeNotAllThere has a reputation beyond reputeNotAllThere has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
just write them on post-its and stick it next to the screen.
That's what the secretaries did for the directors' passwords in one place I worked.
Reply With Quote
The following 2 users would like to thank NotAllThere for this useful post:
  #77  
Old 17.01.2019, 09:00
Forum Veteran
 
Join Date: Mar 2010
Location: Greater Zürich Area
Posts: 939
Groaned at 119 Times in 76 Posts
Thanked 713 Times in 396 Posts
EPMike has an excellent reputationEPMike has an excellent reputationEPMike has an excellent reputationEPMike has an excellent reputation
Re: Englishforum security breach?

Quote:
View Post
All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used.
My approach is to have a system where I have a standard strong password (lowercase uppercase, numbers and special chars) and I use a variation of it for every website using the same system.

Something like insert the first character of the website's name as second char in the pwd and last char of the website name as second but last char in the pwd.
Reply With Quote
  #78  
Old 17.01.2019, 10:07
John_H's Avatar
Forum Legend
 
Join Date: May 2013
Location: Up above Nyon
Posts: 3,917
Groaned at 109 Times in 68 Posts
Thanked 5,209 Times in 2,029 Posts
John_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond repute
Re: Englishforum security breach?

Actual source of the exposure possibly .. Maybe nothing wrong with EF after all



https://yro.slashdot.org/story/19/01...mail-addresses
Reply With Quote
  #79  
Old 17.01.2019, 10:10
Administrator
 
Join Date: Mar 2008
Location: Munich
Posts: 214
Groaned at 44 Times in 24 Posts
Thanked 1,748 Times in 621 Posts
Editor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond reputeEditor Bob has a reputation beyond repute
Re: Englishforum security breach?

Another article about the same:

https://www.wired.com/story/collecti...unts-passwords

They're calling it "the breach of breaches". Data from 2,000 sites all in one collection.

Reaffirms our suspicion that this was an old leak that is only now being put to misuse.

Doesn't clear EF of responsibility though. We're still working on this.
Reply With Quote
The following 8 users would like to thank Editor Bob for this useful post:
This user groans at Editor Bob for this post:
  #80  
Old 17.01.2019, 10:14
John_H's Avatar
Forum Legend
 
Join Date: May 2013
Location: Up above Nyon
Posts: 3,917
Groaned at 109 Times in 68 Posts
Thanked 5,209 Times in 2,029 Posts
John_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond repute
Re: Englishforum security breach?

Quote:
View Post
Another article about the same:

https://www.wired.com/story/collecti...unts-passwords

They're calling it "the breach of breaches". Data from 2,000 sites all in one collection.

Reaffirms our suspicion that this was an old leak that is only now being put to misuse.

Doesn't clear EF of responsibility though. We're still working on this.
At least it's not (hopefully) a current/ongoing leak :-)
Reply With Quote
Reply

Tags
englishforum hack, password stolen, security breach, security password hack




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security breach: avoid buying online and using ATMs [Heartbleed Vulnerability] olygirl TV/internet/telephone 27 07.06.2014 15:10
A security breach happened at [fill in the blank aSwissInTheUS Daily life 1 21.05.2014 18:44
Major security breach at LinkedIn Castro TV/internet/telephone 13 07.06.2012 17:17
US issued card holders take note ( security breach issue ) jrspet International affairs/politics 1 31.03.2012 14:54
Guardian Jobs in UK - Security Breach transition International affairs/politics 0 26.10.2009 13:51


All times are GMT +2. The time now is 09:59.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.1.0