Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums Downtime - Security Issue
- Thread starter arn
- Start date
- Sort by reaction score
There is nothing wrong with using md5 hashes.
Passwords are salted, with a custom seed that can be viewed from only inside the dedicated script page. Google will help you understand what does that mean.
I'm not sure if you realize vBulletin is not some test script written by a hobbyist in 2 minutes on a rainy afternoon.
We're talking about a professional forum platform. The incident happened because some classes with privileges were able to write html directly into an announcement, and a password got stolen.
vBulletin 5 is also a complete joke, as is Internet Brands. Seriously there is no reason to downgrade to vB5. If there is ever going to be a software modification it should be to IPB or XenForo. Both are way better systems.
So, forum hacked and no notice to forum users unless they sought you out on Twitter or somehow managed to access this very obscure thread on a disabled forum?
Still plenty of time to post news articles to keep the clicks coming, but not one news item advising viewers they really ought to change their forum password ASAP?
And no sign of the usual heads-up up to user to check they're not using the same password elsewhere? Shutting down your forum doesn't protect anybody but you. Plenty of us know we shouldn't, but many many users will have the same username and password on other sites. It's vital that all users are informed immediately that their ID may be compromised.
I'm sure you'd be happy to dole out the criticism if it were some other entity keeping up the business-as-usual-facade while their user's passwords are leaking out to who-knows-where.
Still plenty of time to post news articles to keep the clicks coming, but not one news item advising viewers they really ought to change their forum password ASAP?
And no sign of the usual heads-up up to user to check they're not using the same password elsewhere? Shutting down your forum doesn't protect anybody but you. Plenty of us know we shouldn't, but many many users will have the same username and password on other sites. It's vital that all users are informed immediately that their ID may be compromised.
I'm sure you'd be happy to dole out the criticism if it were some other entity keeping up the business-as-usual-facade while their user's passwords are leaking out to who-knows-where.
Seriously, you don't need to lecture me about password hashing and salting - I do it for a living
Whilst you're correct that salting the raw password string before hashing it does add a (moderate) level of security, with MD5 and SHA1 that's nullified by the fact that the strings can be reversed.
As an example lets say you have:
Password: My4ws0meP455W0Rd!
Salt: 5Vu9.<emDF6k$&
You combine it: My4ws0meP455W0Rd!5Vu9.<emDF6k$&
And you then MD5 it to get: 6ff01f01a2b090ce34acf1fbc28d04cd
Now that's in the database as your password.
See the big flaw? You've added no security at all really. Because MD5 and SHA1 take seconds to decode, you can reverse the MD5 hash and you'll get the combined string back. Then because vB stores a raw copy of the salt, all they have to do is strip off that salt string and hey presto, they have your password.
There's a reason nobody uses MD5 or SHA1 anymore.
Modern systems use Bcrypt based hashing, and in some cases combine that with an RSA Public/Private key system or an AES based initialisation vector system - this makes passwords a LOT more secure as there is no way of knowing the vector. Currently it's the strongest method of encryption, and when its done on top of a hashing algorithm will mean an extreme level of security.
You should browse around Stackoverflow at the cryptography guides.
P.S - there is EVERYTHING wrong with using MD5 hashes, you never, ever, ever use MD5 or SHA1 for passwords, no matter how many times you iterate over the string, or how many times you salt it. It will always be possible to decode it very fast.
Seriously, you don't need to lecture me about password hashing and salting - I do it for a living
Whilst you're correct that salting the raw password string before hashing it does add a (moderate) level of security, with MD5 and SHA1 that's nullified by the fact that the strings can be reversed.
As an example lets say you have:
Password: My4ws0meP455W0Rd!
Salt: 5Vu9.<emDF6k$&
You combine it: My4ws0meP455W0Rd!5Vu9.<emDF6k$&
And you then MD5 it to get: 6ff01f01a2b090ce34acf1fbc28d04cd
Now that's in the database as your password.
See the big flaw? You've added no security at all really. Because MD5 and SHA1 take seconds to decode, you can reverse the MD5 hash and you'll get the combined string back. Then because vB stores a raw copy of the salt, all they have to do is strip off that salt string and hey presto, they have your password.
There's a reason nobody uses MD5 or SHA1 anymore.
Modern systems use Bcrypt based hashing, and in some cases combine that with an RSA Public/Private key system or an AES based initialisation vector system - this makes passwords a LOT more secure as there is no way of knowing the vector. Currently it's the strongest method of encryption, and when its done on top of a hashing algorithm will mean an extreme level of security.
You should browse around Stackoverflow at the cryptography guides.
P.S - there is EVERYTHING wrong with using MD5 hashes, you never, ever, ever use MD5 or SHA1 for passwords, no matter how many times you iterate over the string, or how many times you salt it. It will always be possible to decode it very fast.
Thanks for letting the hacker know
/s
We're on the standard hash, which isn't great.
I've slept 2 hours since this started, and we just (10 minutes) ago have gotten the forums stable (I think). There are a lot of fires to put out. We're going as fast as we can, and we are still figuring some stuff out.
arn
Exactly. If user information -may- have been compromised it should be front paged.
I'm gonna sound like a jerk but that's par for me.
The members shouldn't be concerned with how much sleep you got. They should be concerned about their personal security.
It's your company not ours. Unless you wish to send out dividends I'd suggest putting a front page story up so your members know.
/being the ass that had to say it.
I had an awful feeling something was up today with the downtime.
Last pass to the rescue with another generated password it is then!
Glad the forums are back, hope the damage is limited for all parties.
Last pass to the rescue with another generated password it is then!
Glad the forums are back, hope the damage is limited for all parties.
I noticed several posts are missing from a thread I replied to before the system went down.
Should I attempt to rewrite and repost, or should I wait for the possibility of backups that may restore the missing posts?
Should I attempt to rewrite and repost, or should I wait for the possibility of backups that may restore the missing posts?