MacRumors Forums: Security Leak

[Slinkwyde]

this link on their site will bring you to here where you can download the beta.

Ok, thank you. I suppose that's worth a mention, however...

Based on the reviews, it looks like it's a pretty poor quality app. Like the Android app, it's read-only. It's also a WP7 app, meaning it can run on WP8 but hasn't been updated to take advantage of the new abilities. If they don't even mention it on their site outside of a forum post from 2011 about some beta version, that doesn't inspire much confidence in their app.

The impression I'm getting from their Android and WP app reviews is that iOS is the only mobile platform the 1Password developers truly cares about. Perhaps that allows them to super serve iOS users with a good user experience, but a better Android app would go a long way towards getting them more users.

I've been a Mac user since 1996, but for my phone I use and mostly prefer Android (also have a 4th gen iPod touch and bought my mom an iPad 2).

Presumably entirely coincidentally Yahoo forced me to change my password (on the email account linked to my account here) because of 'unusual activity'. This is the first time in around a decade of my using their service that they have done this. This was on the 6th though, so too early to be related, right?

Do you have an Adobe ID any chance? 150 million of those were recently breached, and they did a terrible job of securing user information.

 

[iMacBooked]

MD5 just isn't reliable anymore nowadays, time for change! And indeed, awesome ad for iCloud Keychain lol.

 

[TonyK]

Another +1 for 1Password. My password here was a unique password generated by 1Password. I've since changed it.

In the last month though Yahoo forced me to change my password and now MacRumors. It is getting to be a rough place on the Internet.

 

[leighonigar]

Do you have an Adobe ID any chance? 150 million of those were recently breached, and they did a terrible job of securing user information.

Ah, yes, I did, interesting. And that article blows my mind. IT is particularly dangerous because, as Jobs said if a Computer is a bicycle for the mind then a single imbecile can get far further off course than normal real-world stumbling would allow.

It is unfortunate that Yahoo's password reset emails are so cryptic. Does 'unusual activity on my account' mean they got in? It sounds like they did... anyway, I am straying off topic.

 

[MacModMachine]

Here you go macrumors ,

// Salt and Pepper Shaker class

// pepper class

private static $algo = '$2a';
private static $cost = '$10';
private static $pepper = '80d6b500987ed619c5462fdf854cb5cf';


//salt shaker

public static function generateSalt($length) {
$randomBinaryString = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
$randomEncodedString = str_replace('+', '.', base64_encode($randomBinaryString));
return substr($randomEncodedString, 0, $length);
}



// pepper generator

public static function generateHash($password) {
if (!defined('CRYPT_BLOWFISH'))
die('The CRYPT_BLOWFISH algorithm is required (PHP 5.3).');
$password = hash_hmac('sha256', $password, self::$pepper, false);
return crypt($password, self::$algo . self::$cost . '$' . self::generateSalt(22));
}


// pepper shaker

public static function checkPassword($hash, $password) {
$salt = substr($hash, 0, 29);
$password = hash_hmac('sha256', $password, self::$pepper, false);
$new_hash = crypt($password, $salt);
return ($hash == $new_hash);
}

//return salted pepper

 

[AidenShaw]

OMG - I hope that the real Aiden Shaw isn't burned by this....

(Like, who would use their real name and email address for a message board?)

 

[Tech198]

lol... i love the comments on the blog "Why didn't i receive an ******* email" lol

classic...


ok i'm done

If you have a LastPass generated Password anyway (really strong), why does MR still want to to change it ?

Even though the security is "less prone", than ya traditional "monkey123" (no, don't use that one plz), because its secure anyway, does MR just from the fact that "its out there", as to the reason ?

 

[Windlasher]

Fingerprints Aint Enuf...

So why not make one of those little breathalyzer boxes that you have to blow in to unlock. They could make it about the size of a pack of gum.

DNA doesn't lie, can't be faked, and theres a redhead at my local coffee shop I would love to see logging in with one.

 

[ddublu]

lol... i love the comments on the blog "Why didn't i receive an ******* email" lol

classic...


ok i'm done

If you have a LastPass generated Password anyway (really strong), why does MR still want to to change it ?

Even though the security is "less prone", than ya traditional "monkey123" (no, don't use that one plz), because its secure anyway, does MR just from the fact that "its out there", as to the reason ?

I use LastPass to store passwords but not to generate them. Will they generate a password for each site, even though I can't remember it, and then drop it into a site when I visit it? I'm a premium subscriber. Thanks.

 

[Slinkwyde]

lol... i love the comments on the blog "Why didn't i receive an ******* email" lol

classic...


ok i'm done

If you have a LastPass generated Password anyway (really strong), why does MR still want to to change it ?

Even though the security is "less prone", than ya traditional "monkey123" (no, don't use that one plz), because its secure anyway, does MR just from the fact that "its out there", as to the reason ?

For MacRumors to determine your password strength, they'd need to know what your password is. They don't. All MacRumors has in its database is the salt and the salted hash of your password. Hashing is a one way function.

They don't have your password, so they can't just plug it into a function that calculates password strength and then use that in an "if" statement to decide what to do.

I use LastPass to store passwords but not to generate them. Will they generate a password for each site, even though I can't remember it, and then drop it into a site when I visit it? I'm a premium subscriber. Thanks.

Yes, and that's how LastPass is designed to be used— including the free version.

 

[Rigby]

• LastPass
• 1Password
• KeePass

These password managers make it easy to use long, randomly generated passwords that are unique to every site. They store your passwords in a locally encrypted vault and the only password you need to remember is one strong master password. They all support mobile devices, work offline, and have some form of syncing. When generating random passwords, they let you specify the password length and allowed character types so that you can meet the password requirements of a given web site. The developers of these programs DO NOT have access to your data.

LastPass is the most cross-platform. It has extensions for Chrome, Firefox, Safari, Opera, and IE, and mobile apps for iOS, Android, Windows Phone, and even BlackBerry. You can also access it via the web, which still performs the encryption and decryption locally in your browser so that the LastPass company does not have access. It supports various forms of multi-factor authentication, such as Google Authenticator, YubiKey, and the Grid, and also supports one-time passwords. Also syncs secure notes and autofills forms. Downsides: Your locally encrypted password vault is required to sync via LastPass servers, and none of their service has been independently audited for security. Though the JavaScript source code of the web site and some of the browser add-ons is publicly viewable, there are also binary browser plugins which are closed-source. Mobile apps require a $12/yr subscription to LastPass Premium.

1Password has a nice user interface and optionally syncs via Dropbox, iCloud, or WiFi. Downsides: The Mac, Windows, and iOS apps cost money (relatively pricey). The Android app is free, but it's only a viewer and can't add or edit entries. No Linux app, no support for mobile OSes beyond iOS and Android, and no multi-factor authentication. 100% proprietary and closed source. I'm not aware of any independent security audit having happened for 1Password.

KeePass is free and open source, so outside developers have full access to the source code, allowing anyone to confirm for themselves that KeePass follows good security practices and that nothing fishy is going on behind the scenes. Optionally syncs via Dropbox or FTP. There are various third party programs and browser add-ons to support a variety of platforms and browsers. Can be run as a portable app from a flash drive. Supports a variety of plugins to add functionality. Downsides: Not sure. Would someone who has used this app comment on its downsides? There doesn't seem to be multi-factor authentication or web access.

This is a good summary. I'd also add eWallet to the mix, however (no, I have no relation to the company except that I have been using their product on various platforms for many years since the old Palm Pilot days ). They have versions for Mac OS, Windows, iOS and Android, and support syncing via iCloud or locally via Wifi (which is what I use).

I have considered switching to KeePass for a while (since I think open source is a huge benefit for this kind of software), but it doesn't have eWallet's convenient Wifi sync. Also, the computer app was written using Microsoft .Net and hence requires the rather heavyweight Mono framework to run on Mac OS or Linux. At least there was no native Mac OS app when I last checked.

 

[PNutts]

I've been using 1Password for years, and because they store nothing, it's all encrypted on my local Mac, unlike say LastPass.

LastPass' local files are encrypted.

 

[Tech198]

For MacRumors to determine your password strength, they'd need to know what your password is. They don't. All MacRumors has in its database is the salt and the salted hash of your password. Hashing is a one way function.

Yes, I realize this, but hashed or not, weather the fact they can't decrypt it at all is irrelevant... but my point was not this.

My reasoning, is if all the site has is a hash..... its a hash,,,, regardless of weather its one way or not..... its still in their DB.

Thus, meaning, if was what attackers got....... ok they can't crack it now...

But who knows when ? And besides...... its not gonna be in out life time anyway... so really that even lessons the need to change it yes ?

I realise from MR's point of view is "why take the chance", but if we aren't gonna be round anyway, (unless some genius happens over-night), then whats the worry ? Really?

But regardless, I still agree from MR's point of view on this the need to change

 

[Doctor Q]

For MacRumors to determine your password strength, they'd need to know what your password is. They don't. All MacRumors has in its database is the salt and the salted hash of your password. Hashing is a one way function.

They don't have your password, so they can't just plug it into a function that calculates password strength and then use that in an "if" statement to decide what to do.

Technically, websites (including MacRumors) that store password hashes could run the same password-cracking software that the bad guys use, breaking as many of their own users' passwords as they could, and from that effort identify and notify (or block) those with the weakest passwords. But users would probably not appreciate that!

 

[djtech42]

Yes, I realize this, but hashed or not, weather the fact they can't decrypt it at all is irrelevant... but my point was not this.

My reasoning, is if all the site has is a hash..... its a hash,,,, regardless of weather its one way or not..... its still in their DB.

Thus, meaning, if was what attackers got....... ok they can't crack it now...

But who knows when ? And besides...... its not gonna be in out life time anyway... so really that even lessons the need to change it yes ?

I realise from MR's point of view is "why take the chance", but if we aren't gonna be round anyway, (unless some genius happens over-night), then whats the worry ? Really?

But regardless, I still agree from MR's point of view on this the need to change

I don't think it would take that long to crack the passwords

 

[benji888]

Yes. Length makes your password far harder for an automated attack against your password than symbols do. People are extremely predictable when it comes to the ways they'll use symbols (and even if they weren't, it would still be trivial for a script to run through every possibility in a matter of minutes-hours.)

Never use a password shorter than 12 characters, but getting it to be 20-30 characters long is much safer. Also, don't reuse passwords - you never know how securely anyone will handle your password. You wouldn't want someone to get your email password just because some intern at Adobe didn't know you should encrypt passwords, for example, because most websites use your email as their recovery mechanism. Meaning a person targeting you could then get everything else they might want.

why then does apple create essentially 12 character passwords that are 3 characters grouped together with dashes between? Over time, that seems like it'd be easier to crack than what you suggest? I'm not sure I like using iCloud Keychain for password generation. I mean, what is the power for 2x for this...4 sets of 3 characters each?

 

[Valinor]

Ok so I dont know if this is related to the security leak but:
Im from the Netherlands so I'm gonna type this in local time.
Its 04:44 AM at the moment.
At 03:31 I registered at your forum.

At 04:20 I got a spam message in my mailbox (outlook.com) and if I look at the sender, it shows my own emailadres. Its also party written in Hebrew or something. So I was wondering if this could have anything to do with the security hack.
- I have never received spam in this mailbox
- My laptop is actually pretty secure no virusses etc. (bitdefender paid version, everything up to date)
- Wasnt doing anything else for the last hour, only surfing macrumors forum.
- I have a pretty complex email password so I dont think its been hacked.

I've heard you can spoof sender information so that it looks like its been send by my own emailadres, any way how I can check if this is true?

 

[mactastic]

Not at all sure this'll be seen in this lengthy thread, but I just want to add my voice to the thank you's to Arn for how this was handled. Sucks that it did, but when it does you can't ask for much more than what you and the MR crew did.

 

[arn]

Ok so I dont know if this is related to the security leak but:
Im from the Netherlands so I'm gonna type this in local time.
Its 04:44 AM at the moment.
At 03:31 I registered at your forum.

At 04:20 I got a spam message in my mailbox (outlook.com) and if I look at the sender, it shows my own emailadres. Its also party written in Hebrew or something. So I was wondering if this could have anything to do with the security hack.
- I have never received spam in this mailbox
- My laptop is actually pretty secure no virusses etc. (bitdefender paid version, everything up to date)
- Wasnt doing anything else for the last hour, only surfing macrumors forum.
- I have a pretty complex email password so I dont think its been hacked.

I've heard you can spoof sender information so that it looks like its been send by my own emailadres, any way how I can check if this is true?

Email can be easily spoofed to look like it's sent from anyone. Email doesn't verify who the sender is, so you can put anything you want.

Also, if you google your email address, it shows up... once it's findable by google, it's findable by spammer/scrapers.

arn

 

[ArtOfWarfare]

why then does apple create essentially 12 character passwords that are 3 characters grouped together with dashes between? Over time, that seems like it'd be easier to crack than what you suggest? I'm not sure I like using iCloud Keychain for password generation. I mean, what is the power for 2x for this...4 sets of 3 characters each?

It's not that bad, actually. Since it has no ties to the English language (or any other language, for that matter.) Each character could be any of A-Z, a-z, or 0-9, giving you 62 possibilities per character. 62^12 is about 3,226,000,000,000,000,000,000. The only issue with the passwords it generates is that you probably won't remember it, but so long as you always use iCloud Keychain, that wouldn't be a problem.

Further, I'm assuming iCloud Keychain actually generates random characters. I would think that it uses ARC4Random(), which should work well enough.

Oh, one other possible problem would be if it didn't securely save your passwords. They say it's encrypted with AES-256 though, which again, should work well enough.

 

[Tech198]

It's not that bad, actually. Since it has no ties to the English language (or any other language, for that matter.) Each character could be any of A-Z, a-z, or 0-9, giving you 62 possibilities per character. 62^12 is about 3,226,000,000,000,000,000,000. The only issue with the passwords it generates is that you probably won't remember it, but so long as you always use iCloud Keychain, that wouldn't be a problem.

Further, I'm assuming iCloud Keychain actually generates random characters. I would think that it uses ARC4Random(), which should work well enough.

Oh, one other possible problem would be if it didn't securely save your passwords. They say it's encrypted with AES-256 though, which again, should work well enough.

I bet your brain hurts after crunching that one...

So, here, we don't even know what iCloud keychain uses, but we do with Last Pass, hench why i trust it more, because the technology is freely given


Unfortunately, for security, you can't remember complex passwords, and if we must all rely on password managers and not remembering them, this will only further peruse people to write them down to keep them stored in Passwords.doc file, notepad etc...

Unfortunately, as tough, and as convenient , you try and make it, by making it part of the OS, its just there, most will stick to older methods, and think their safe...

That is, until they loose it.

Using different/complex's password on each site. Doesn't matter how low they are and not worth it, because it will be worth it when they crack it..

To me, there is no just thing as a low profile site anymore.... If i can't use complex passwords, then i don't use the site.. No exceptions. But unfortunately, banking sites still don't get it.

 

[costabunny]

Technically, websites (including MacRumors) that store password hashes could run the same password-cracking software that the bad guys use, breaking as many of their own users' passwords as they could, and from that effort identify and notify (or block) those with the weakest passwords. But users would probably not appreciate that!

true - the hardest part about enforcing security on any public facing system: The balance between system protection and user friendly. Never a battle thats easy, and most often one that tips the scales either way - great security != user friendly

whilst I have spent most of my IT trench time with uber secure setups - they are a royal pain in the bum for users.

Make it very secure and users moan, make it err on the side of user friendly and sooner or later a determined intruder will get in : users moan. If you can hit that sweet spot where both sides are happy - no medals at all and unicorns all round (yet to see such a setup in the real world).

Its no easy job being an admin to such a large and high profile userbase such as MR.

No sucking up here - just saying I've seen it many times, and it always is the site owner/admins that take the flak.

 

[JerryCards]

Thanks for let us know.

 

[Taskman]

Glad I'm using KeePass.

I think I'm pretty safe using at least 128 bit passwords on sites with different password on every single one.

 

[ardent73]

This is ridiculous. Is there no one that can come up with a better authentication methodology than user names and passwords? We have so many accounts and the demands put on us by IT and security people basically equates to "if you can access your own data, it's not secure enough", and "even if you can't remember your login credentials, someone else is likely to find them eventually".

I have a document with all my account info for my own reference, snd my friend has all hers in a spreadsheet. I won't put my passwords into a public service that is owned by any entity that's attractive to hacking. What happens when Lastpass, 1Password or iCloud keychain are cracked and violated? Personal server storage is less likely to be targeted than an account service or Apple, et all.

1. Multi-factor authentication is what we need.

2. Lastpass has been validated: www.youtube.com/watch?v=r9Q_anb7pwg‎