Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
It's more like matching a hash to an input that generates that hash.
If you assume it's not salted, then yeah. However, they are salted, so that's not what's stored in the database.
Well, what you would typically do in the offline brute forcing is using a dictionary combined with some rules (i.e. replace all instances of 'e' with '3' in the input string), then hash the input, then check the table of passwords to see if it matches. If it does, then you know that that was probably that user's plaintext password. While it's theoretically possible that you found a hash collision, the chances are astronomically small and you'd be more likely to stub your toe on a solid gold bar when you're walking to the bathroom.
Well, only if they use the same salt, too. Again, not likely.
Not really. There are programs like oclhashcat, wherein one of the defined rules for generating an input string to hash is combing words, or other input phrases.
There is a statement at the top of the page, with a read this link.
It's done. It can happen again of course, but a change of password and a little care is all that the average user can do. For those with issues with keychain, open the app, click on iCloud, look for the MacRumors entry, and delete it.
Log out, empty your browser cage and open the login page again....all login fields should now be blank.
Well, actually we're basically agreeing about the MR security leak: it's not a big issue in most cases (except with easy dictionary predictable passwords, including combination of simple terms and/or replacing letters with their "hacker" counterparts, i.e. "o" to "0", "i" to "1" and so on).
As I believe you are a fellow Brit mate? Are you not covered under your own country's respective laws with security breaches as opposed to those where the site is hosted?
But how do I log back in if I don't have my new password? Safari won't let me copy the generated password.
Only a complete idiot would use a word out of the dictionary.
Allow me to help:
https://identitysafe.norton.com/password-generator/
I recommend choosing at least a 12 char password.
No, MD5 is not that "strong", but it's still a one-way hash. If you have a password like "efjwelkfwlkj3233423!!!2dsjdsd,..23328432747234" (okay, maybe not that crazy), the chance if it being cracked is pretty small. You'd have to had a very very large rainbow table to do that, which would take enormous time to make
Last edited:
Was very nice, participating in the MacRumor forums. But I do not want to participate, anymore
Bye!
I hope all you people that are leaving because of this, leave your bank, leave your credit card company, leave your car loan, leave all social media because this happens to even the most secure companies so don't act like MacRumors is the devil
----------
Yes, definitely. They made you sign up and use a non-unique password. Definitely sue them for all their worth
----------
I was going to avoid this, but I decided to use LastPass to change my password. Looks like I won't logging onto MacRumors much in the future in my mobile devices.
if you use icloud the moment you go on the site it will save in your keychain and then be available on your mobile. I did it yesterday. It was very cool.
Last edited:
If your life depended on it or was in peril - possibly. Lol
It's a freaking message board. Who gives a crap. You probably have more stuff readily accessible on Facebook and you're worried about a simple password/account you have here that may or may not have been divulged? Ugh.
PRIORITIES!
Example - you live in Queens right?
I believe only telecoms or ISPs are required to notify in the UK:
http://www.mondaq.com/x/261702/data+protection/New+EU+Data+Breach+Notification+Rules+for+Telecoms
Why weren't the passwords encrypted?
I find it absurd that MacRumors.com moderators spend so much time policing views and ideas -- particularly those critical of Apple, rather than actually spending more time on improving the security of the site.
Maybe the mods and arn as the owner can take a step back and reflect about their lapses.
Encrypting passwords is entry level stuff. Any decent site should have done it already.
And if the article is to be believed, the hack was similar to a previous hack -- so why weren't security measures taken to patch the site? After all, it is not an unknown issue.
I find it absurd that MacRumors.com moderators spend so much time policing views and ideas -- particularly those critical of Apple, rather than actually spending more time on improving the security of the site.
Maybe the mods and arn as the owner can take a step back and reflect about their lapses.
Encrypting passwords is entry level stuff. Any decent site should have done it already.
And if the article is to be believed, the hack was similar to a previous hack -- so why weren't security measures taken to patch the site? After all, it is not an unknown issue.
Last edited by a moderator:
In my experience, whenever a consumer is notified about a security incident from one provider, the consumer tends to naturally link any subsequent anomaly with that incident (and tends to look for other anomalies). However, there is rarely any connection. More likely what you are seeing is entirely coincidental and unrelated.
Sure it is. I'm making a point. You live in Queens. You went to Costa Rica and Cancun a few years back. You also invest. Should I go on? No, I won't.
As unfortunate as this is, it really speaks as much to vBulletin's poor security (using MD5, albeit a double md5 with salt) as it does MR's decision to use vBulletin (even though it's hard to migrate a massive vBulletin to something else).
I would hope that in light of two high-profile hacks like this that vBulletin consider switching hashing algorithms, at the very least, and I think it would be a straightforward patch to make. phpass these days uses blowfish, then extended des, then md5 only as a last resort.
I would hope that in light of two high-profile hacks like this that vBulletin consider switching hashing algorithms, at the very least, and I think it would be a straightforward patch to make. phpass these days uses blowfish, then extended des, then md5 only as a last resort.
MacRumors was/is using a version of vBulletin that was 'End of Lifed' in March 2011. Subsequent versions of vBulletin are...poor (to put it VERY mildly).
In this instance only MacRumors is to blame - they've had almost 3 years to move to better software.
----------
Assume everything is - that's usually the best policy. Change passwords for everything, even if you don't use the same password.