 | | | 
16.01.2019, 11:24
| Forum Legend | | Join Date: Oct 2014 Location: Steinach SG
Posts: 8,452
Groaned at 410 Times in 309 Posts
Thanked 11,010 Times in 5,795 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | The following security notice is being distributed.
It will be emailed to all users shortly, and is additionally available here: englishforum.ch/security
| | | | | People won't notice that unless they actually look, all too many use a dummy email-account for this stuff. Still, you need to assume they use that password elsewhere, and where the contents are important.
Send the notice as PM to each and every user, those who didn't opt out will receive a popup when they log in next time.
| This user groans at Urs Max for this post: | | 
16.01.2019, 11:27
|  | Forum Legend | | Join Date: Nov 2007 Location: Zurich area
Posts: 12,786
Groaned at 99 Times in 88 Posts
Thanked 19,577 Times in 8,681 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | If I understand correctly, an 8 character password is, with 2 character salt, effectively 10 characters. According to this (dated 2017) a single 10 character password of sufficiently complexity) could keep a super computer buy for up to 3 years: https://thycotic.force.com/support/s...ord-Complexity | | | | | No, salt does not any real complexity to a single password. If you have the encrypted password database you also have the salt which goes with each password. An 8 character password is still a 8 character password even with 128 characters of salt.
The difference between a salted and non-salted password table is, that you can crack the un-salted table in a single pass whereas when there is salt added you must crack each and every users password individually.
The problem is that what the your linked article describes as supercomputer/bot net is in fact for the MD5-algorithm used by englishforum database a machine which costs around USD 8000. https://www.bitcoinmined.net/gpu-miner
There is plenty of hardware like that, even much more powerful, in China and other parts in the world which was acquired to mine crypto currencies such as Etherum, Litecoin, Monero etc. (Not hardware used for Bitcoin, as this are too much spcialized) Example of one site: https://lifestylegalaxyevents.com/mi...ne-visit-2017/
Unfortunately this hardware does no longer generate the profit with crypto currency mining as it was in the past. So why not use the existing hardware to crack password databases and make profit from it?
A dictionary based attack over the whole database costs nearly nothing and is done in a few minutes. A dictionary means a databases which contains password known from previous security breaches. One particular database is known to contain 517 million different passwords which have been used on various internet sites. You can check if your password is in this particular dictionary here https://haveibeenpwned.com/Passwords Note: if you enter your password there it is best to change it afterwards regardless if it was found or not. Only enter your password at the website or program where it is intended to be used.
Note: Cracking the password database is only one possibility how the passwords were compromised. The attackers might have simply injected code either directly on the server or through an advertiser channel which is used on EF. It is known https://www.englishforum.ch/forum-su...y-browser.html that EFuses advertising methods which change content on the fly and it is also known https://www.20min.ch/digital/news/st...offen-20129497 that advertiser channels have been compromised in the past.
__________________
On Hiatus- Normal operation will resume 22.02.2022 22:02:20.22
| The following 3 users would like to thank aSwissInTheUS for this useful post: | | 
16.01.2019, 11:31
|  | Forum Legend | | Join Date: Oct 2009 Location: Basel
Posts: 14,299
Groaned at 276 Times in 182 Posts
Thanked 17,701 Times in 7,473 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | In the email I received, it showed an old password; not the one I currently use(d) (changed it again now, just to make sure). | | | | | when did you change from the old password? that at least helps to put a timeline on the compromise.
| The following 2 users would like to thank Phil_MCR for this useful post: | | 
16.01.2019, 12:13
|  | Forum Legend | | Join Date: Jul 2009 Location: Lummerland
Posts: 5,281
Groaned at 143 Times in 100 Posts
Thanked 9,123 Times in 3,455 Posts
| | Re: Englishforum security breach?
All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used.
__________________
Back in Bavaria, godīs own belly button.
| The following 4 users would like to thank slammer for this useful post: | | 
16.01.2019, 12:21
| | Re: Englishforum security breach? | Quote: | |  | | | All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used. | | | | | There are apps that can do this for you, I use 1password one local complicated password which will generate and manage all your diff passwords.
| The following 2 users would like to thank for this useful post: | | 
16.01.2019, 12:40
|  | RIP | | Join Date: Apr 2009 Location: Eglisau
Posts: 7,272
Groaned at 47 Times in 46 Posts
Thanked 14,131 Times in 5,506 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used. | | | | | It's a real problem for many users.
One solution is to use a password manager and set a long, random password for all the websites you frequent. Then you only need to remember the password to unlock your password manager, and also the password for your email account so that if (when) you forget the password for your password manager or otherwise mess it up you can at least use the email based reset password function on the websites you use.
The other low tech solution, if you insist on using one password for all your website logins (like EF, FB) is to make it long, and to deliberately misspell multiple easily remembered words.
"hamberders_unt_Harrlies", for example (ok, "hamberders" is probably in most dictionary attack lists by now, but you get the idea).
Length works well against brute force, and misspelling is reasonably effective against dictionary attacks.
__________________
If everyone you know agrees with you consistently, they are either not listening, or not capable of critical thought.
| The following 4 users would like to thank JagWaugh for this useful post: | | 
16.01.2019, 13:19
|  | Forum Legend | | Join Date: Oct 2006 Location: canton ZH
Posts: 12,041
Groaned at 198 Times in 164 Posts
Thanked 13,586 Times in 7,075 Posts
| | Re: Englishforum security breach?
Now that was fun. I had changed my password on EF, which I was so happy with since 2006, don't even know why really as I was not worried......
and forgot the new password
So I got
<<Wrong username or password. You have used up your failed login quota! Please wait 15 minutes before trying again>> from EF PLUS a pm:
<<Dear curley,
Someone has tried to log into your account on English Forum Switzerland with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.
The person trying to log into your account had the following IP address: 7 ..... yeah, okay, never mind, there was an IP there
All the best,
English Forum Switzerland
I'm probably now registered for life as the wanna-be-thief of my own EF-account.
__________________ If there is a God, then I believe hes more insulted by religion than he is by atheism. | The following 2 users would like to thank curley for this useful post: | | 
16.01.2019, 13:30
|  | Forum Legend | | Join Date: Feb 2006 Location: Zürich
Posts: 3,044
Groaned at 46 Times in 33 Posts
Thanked 2,297 Times in 1,103 Posts
| | Re: Englishforum security breach?
Next step: Curley sends herself an email demanding EUR 800 otherwise threatens to publicise her search history.
| The following 6 users would like to thank krlock3 for this useful post: | | 
16.01.2019, 13:47
|  | Forum Legend | | Join Date: Jun 2008 Location: Baden
Posts: 3,285
Groaned at 46 Times in 41 Posts
Thanked 5,478 Times in 2,103 Posts
| | Re: Englishforum security breach?
shit's getting real...
got this on my email | The following 5 users would like to thank Ouchboy for this useful post: | | 
16.01.2019, 13:55
|  | Forum Legend | | Join Date: Jul 2009 Location: Basel
Posts: 3,645
Groaned at 33 Times in 30 Posts
Thanked 6,859 Times in 2,211 Posts
| | Re: Englishforum security breach? | Quote: |  | | | Furthermore, all dormant accounts, those which have not logged in since 01.01.17, will be permanently deleted. The posts from deleted accounts will remain published but labelled as authored by "Guest". | | | | | Does this mean that 'Guest' will replace their username, or that 'Guest' will replace their forum status? Eg, would I become:
Guest Forum Legend
or
Village Idiot Guest
If it's the former, that seems like a real shame as we'll lose out on the many amazing personalities that have helped form the board over the years, who are no longer posting for whatever reason.
| The following 5 users would like to thank Village Idiot for this useful post: | | 
16.01.2019, 13:56
|  | Forum Veteran | | Join Date: Jan 2012 Location: thun
Posts: 2,137
Groaned at 40 Times in 29 Posts
Thanked 2,806 Times in 1,358 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | No, salt does not any real complexity to a single password. If you have the encrypted password database you also have the salt which goes with each password. An 8 character password is still a 8 character password even with 128 characters of salt.
. . . | | | | | Ah yes. I've just refreshed my memory. The salt is stored with the password and indeed it does not make the decryption of an individual password from the file any more complex, it does make the construction of a universal reverse lookup table less feasible, however. Thanks.
| 
16.01.2019, 14:29
|  | Forum Legend | | Join Date: Jul 2011 Location: Switzerland
Posts: 21,838
Groaned at 391 Times in 302 Posts
Thanked 16,781 Times in 9,468 Posts
| | Re: Englishforum security breach?
Good luck with upgrading vBulletin. Another of my forums which uses v3.8.4 tried it a few years ago and it caused so much chaos they had to roll back to v3.8.4 again.
I admit I'm one of those people who uses the same password everywhere, but if I went to individual ones, no way would I be using a cloud storage app or similar for it. Good, old fashioned pen and paper will do the trick for me. | 
16.01.2019, 16:45
|  | Forum Legend | | Join Date: Oct 2009 Location: Basel
Posts: 14,299
Groaned at 276 Times in 182 Posts
Thanked 17,701 Times in 7,473 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used. | | | | | just write them on post-its and stick it next to the screen.
| This user would like to thank Phil_MCR for this useful post: | | 
16.01.2019, 20:36
|  | A modal singularity | | Join Date: Sep 2011 Location: Morgins, VS (and Alsace)
Posts: 9,030
Groaned at 365 Times in 236 Posts
Thanked 15,358 Times in 6,646 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | Good luck with upgrading vBulletin. Another of my forums which uses v3.8.4 tried it a few years ago and it caused so much chaos they had to roll back to v3.8.4 again. | | | | | I think I can see where they were going wrong...
| The following 3 users would like to thank Ace1 for this useful post: | | 
16.01.2019, 21:52
|  | Forum Legend | | Join Date: May 2013 Location: Up above Nyon
Posts: 3,917
Groaned at 109 Times in 68 Posts
Thanked 5,209 Times in 2,029 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | just write them on post-its and stick it next to the screen. | | | | | This is what we do in my office :-)
| This user would like to thank John_H for this useful post: | | 
17.01.2019, 08:23
|  | Forum Legend | | Join Date: Oct 2008 Location: Baselland
Posts: 12,973
Groaned at 206 Times in 183 Posts
Thanked 18,807 Times in 7,664 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | just write them on post-its and stick it next to the screen. | | | | | That's what the secretaries did for the directors' passwords in one place I worked.
| The following 2 users would like to thank NotAllThere for this useful post: | | 
17.01.2019, 09:00
| Forum Veteran | | Join Date: Mar 2010 Location: Greater Zürich Area
Posts: 939
Groaned at 119 Times in 76 Posts
Thanked 713 Times in 396 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | All this passwordary change and a different password for every site may be common sense but for the generic run of the mill garden variety user it defeats the point, I struggle to remember more that two passwords and if I wish to access my youtube account or my itune account then I need to reset the freaking password every time because I canīt remember the stupid password out of mind and I canīt remember where I put the note where I wrote them down or I donīt have it with me when I need it.
So generally I use one password or a variation of it and even then I canīt remember which variant I used. | | | | | My approach is to have a system where I have a standard strong password (lowercase uppercase, numbers and special chars) and I use a variation of it for every website using the same system.
Something like insert the first character of the website's name as second char in the pwd and last char of the website name as second but last char in the pwd.
| 
17.01.2019, 10:07
|  | Forum Legend | | Join Date: May 2013 Location: Up above Nyon
Posts: 3,917
Groaned at 109 Times in 68 Posts
Thanked 5,209 Times in 2,029 Posts
| | Re: Englishforum security breach?
Actual source of the exposure possibly .. Maybe nothing wrong with EF after all https://yro.slashdot.org/story/19/01...mail-addresses | 
17.01.2019, 10:10
| Administrator | | Join Date: Mar 2008 Location: Munich
Posts: 214
Groaned at 44 Times in 24 Posts
Thanked 1,748 Times in 621 Posts
| | Re: Englishforum security breach?
Another article about the same: https://www.wired.com/story/collecti...unts-passwords
They're calling it "the breach of breaches". Data from 2,000 sites all in one collection.
Reaffirms our suspicion that this was an old leak that is only now being put to misuse.
Doesn't clear EF of responsibility though. We're still working on this.
| The following 8 users would like to thank Editor Bob for this useful post: | | This user groans at Editor Bob for this post: | | 
17.01.2019, 10:14
|  | Forum Legend | | Join Date: May 2013 Location: Up above Nyon
Posts: 3,917
Groaned at 109 Times in 68 Posts
Thanked 5,209 Times in 2,029 Posts
| | Re: Englishforum security breach? | Quote: | |  | | | Another article about the same: https://www.wired.com/story/collecti...unts-passwords
They're calling it "the breach of breaches". Data from 2,000 sites all in one collection.
Reaffirms our suspicion that this was an old leak that is only now being put to misuse.
Doesn't clear EF of responsibility though. We're still working on this. | | | | | At least it's not (hopefully) a current/ongoing leak :-)
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | Thread Tools | | Display Modes | Linear Mode |
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts HTML code is Off | | | All times are GMT +2. The time now is 09:59. | |