Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I really love reading your articles, I really do, but this seems to happen often, & I don't understand why our passwords are saved on your database like the poster below said. I will have to delete accounts if this happens again. Your fans & customers will not enjoy taking time out of their day to change & reset their passwords; this seems to be happening way too often it seems like there is no security!

To the best of my knowledge, this is the first time this has happened to MacRumors.
 
I really love reading your articles, I really do, but this seems to happen often, & I don't understand why our passwords are saved on your database like the poster below said. I will have to delete accounts if this happens again. Your fans & customers will not enjoy taking time out of their day to change & reset their passwords; this seems to be happening way too often it seems like there is no security!

I just noted that you just joined MR TODAY. So this comment comes from your vast experience on the site?

BTW: How many accounts do you have?
 
Nearly every service I use has been hacked in the last few years. No matter what security you personally use it doesn't seem to matter as people are going to hack the servers.

Inevitable when when using something like vBulletin as one exploit gives them free access to every forum of that type until the exploit is patched and everyone updates.

Anyway just a forum, no CC or anything to worry about, not that big a deal.
 
I really love reading your articles, I really do, but this seems to happen often, & I don't understand why our passwords are saved on your database like the poster below said. I will have to delete accounts if this happens again. Your fans & customers will not enjoy taking time out of their day to change & reset their passwords; this seems to be happening way too often it seems like there is no security!

As somebody pointed out earlier in this thread, how do you expect to login if passwords are not saved on the database? Every single website you use where you have to login, your password is saved SOMEWHERE in their database.
 
As somebody pointed out earlier in this thread, how do you expect to login if passwords are not saved on the database? Every single website you use where you have to login, your password is saved SOMEWHERE in their database.

No, databases can store salted hashes of passwords without needing to store the passwords themselves. That's what the vBulletin forum software used by MacRumors was doing, but unfortunately it uses MD5 which is collision prone and designed for fast hashing rather than slow hashing. Hashing is a one way function, which makes it better than encryption for this purpose.

And if Hyper-X is reading this, I've been using unique passwords for all my accounts for several years now, but I still say that vBulletin should use a better hashing algorithm than MD5. Something like bcrypt or scrypt would be good. Unlike cleartext, quality salted hashes give me time to change my unique, strong password instead of making one of my accounts immediately vulnerable to attack (along with the accounts of all other users, including mods and admins).
 
No, databases can store salted hashes of passwords without needing to store the passwords themselves. That's what the vBulletin forum software used by MacRumors was doing, but unfortunately it uses MD5 which is collision prone and designed for fast hashing rather than slow hashing. Hashing is a one way function, which makes it better than encryption for this purpose.

And if Hyper-X is reading this, I've been using unique passwords for all my accounts for several years now, but I still say that vBulletin should use a better hashing algorithm than MD5. Something like bcrypt or scrypt would be good. Unlike cleartext, quality salted hashes give me time to change my unique, strong password instead of making one of my accounts immediately vulnerable to attack (along with the accounts of all other users, including mods and admins).

Yes I understand that. I quoted him because in my opinion, it was worded in that he was confused as to why ANY password data was being stored, encrypted or not. Somebody said a few pages back that it is irresponsible for a website to store user data. You couldn't login without certain data being stored.

Im sure vBulletin will make some changes to how they do secure passwords because of this, considering their own forum was hacked.
 
Security: DO NOT ADHERE TO STANDARDS

- but make your own encryption, just don't tell them.

For all characters in username, substract 0x20 or " " and multiply with say 93 - a number that you enter at startup and keep in your head (Space is not allowed in passwords and UserId).

Then find the first prime number above the result.
Now as the password is entered, do just the same- generate a 64 bit integer and store this, and compare with this.

To make life a racket for those that want to "crack" the site, the user identity is known to you, and because of order of the factors can be replaced, you can change the password key without knowing the string. I see there are people on the site that works with security, ask one of these to help you with the code.

You can change the code in pseudo-random intervals, and what they get is at the best the "key" that will grant them access to this site - you do not store the password just the result from a multiplication - and to gain access to the site you have to produce a string that generates exactly this number. Well if you have changed the key since it was "cracked" - knowing the password and userid will no longer grant them access. Then you can trace those that produce "old answers" - and trace the violator.

Multiply a number out of the strings and store the number. They can then hack the site without compromising anything, and bluntly, you can use the same password for all sites. But you cannot help me should I forget my password.
 
No. I am referring to the energy required to crack modern day hashing. The computational power required for some of them is against the laws of physics...

I stopped reading after seeing this, now I'm certain that you don't know what you're talking about. If you really want to continue this, let's do it in PM's and stop derailing the thread with your ridiculous posts.

Slinkwyde said:
And if Hyper-X is reading this...

Read Arn's latest post. If the point you're trying to make is to simply use the best method of password protection vB has to offer, that's fine, but I'm sure when it comes to running a site like this, admins need to look at balancing the ease of implementation vs the additional benefits from those changes. It's easy for a user to say what MR's should be doing and such, but it's the admin(s) that need to do all the work for us. This isn't like updating an app from the App Store.

Look at it this way, if MR's wasn't compromised, there wouldn't be any posts about any hashing methods. So again the problem was a compromised elevated account and Arn provided the most sensible theory behind how it may've happened which had nothing to do with any hashing method. MR's doesn't get hijacked often so it's reasonable to believe the way they've been doing things have been sufficient. Most of the posts admitting how some users re-use logins elsewhere are the faults of those users than it is MR's. It's not MR's responsibility to safeguard the carelessness/laziness of its users.
 
Last edited:
To the best of my knowledge, this is the first time this has happened to MacRumors.

But it takes just one time. I don't blame you, or anyone who helps on this site. If anything this made me change all my passwords, and most of them were different but all old. So now all new passwords, and using a new way to keep them safe as well. I also made a new email address just to use on forums, this way if something happens to that email address it's not a big deal and I can deleted it if needed.
 
Risk?

Apologies in advance for my naivety.

Could someone please explain what the risk to a user is? What can the hacker do with the login info for a forum?

Cheers
 
Apologies in advance for my naivety.

Could someone please explain what the risk to a user is? What can the hacker do with the login info for a forum?

Cheers

As long as you use different passwords for every site that you have a login for there is little to no risk, all you need to do is change your password here on this site and, to be plain, forget about it.

There is not much else they can do, apart from your password they also have your username and email, they could use your username to potentially track you across websites but they have to assume you used the same username on multiple sites, and with your email you could receive spam but all the major email providers have very good filtering now and I've always acted that emails are pretty much public knowledge anyway.

The exception to this is if your unique passwords are actually not unique, say for example if your macrumors password is macrumors%32847h3 it is possible that your gmail password is gmail%32847h3 twitter is twitter%32847h3, a lot of people use passwords using similar methods, these are not secure, and using any type of l33t speak would not make that type of password any more secure.

If you are looking for a way to take your online security to the next level then there are two great ways to start, first is to use 2 step verification for any account that support it, gmail, outlook, facebook, twitter, and apple ID all can have 2 step verification, this makes it impossible for someone even if they have your username and password to get into the account as they would not have the code produced by your phone (or tablet, ect.), 2nd is to use a password manager (I personally use Keepass) this takes away the insecure 'human' aspect of passwords it stores all your details for every account you have and will generate completely random passwords for you, all you ever need to do is remember the master password for the encrypted database and to backup the database like you would any digital file you don't want to loose.
 
Note to CrackFox: scroll down to the very bottom of my post. That's the part that's for you.

Yes I understand that. I quoted him because in my opinion, it was worded in that he was confused as to why ANY password data was being stored, encrypted or not. [...]
Ok, fair enough. Now I get what you're trying to say here, but the word "encryption" implies that decryption is possible. Hashing is different from that, but I know what you mean.

- but make your own encryption, just don't tell them. [...]
Are you advocating that MacRumors (or even vBulletin) develop their own encryption cipher algorithms? That is almost always a bad idea! Published ciphers such as AES-256, Blowfish, etc. have been thoroughly studied and tested by many eyeballs. Custom, untested ciphers often contain unintended weaknesses. Security through obscurity is no security at all.

Read Arn's latest post. If the point you're trying to make is to simply use the best method of password protection vB has to offer, that's fine, but I'm sure when it comes to running a site like this, admins need to look at balancing the ease of implementation vs the additional benefits from those changes. It's easy for a user to say what MR's should be doing and such, but it's the admin(s) that need to do all the work for us. This isn't like updating an app from the App Store.

I'm a computer science student with an understanding of relational databases, cryptography, and forum software code including vBulletin. I have administered, maintained, and modified forums and blog software before (admittedly on a far smaller scale, 20-30 users as I recall), and I understand what would be involved in the PHP and database modifications.

vBulletin doesn't offer a choice of hashing algorithms. The use of MD5 is hardcoded into the PHP scripts, so the ideal place to fix it would be not at individual message boards, but upstream in vBulletin itself. Then sites like MacRumors would eventually migrate to the newer version (which requires reapplying backing up forum data, re-applying patches, testing the new system at a separate location, temporarily disabling the old system, and likely fixing problems with the update that were not discovered during private testing).

Look at it this way, if MR's wasn't compromised, there wouldn't be any posts about any hashing methods.
Not quite true. This same discussion of vBulletin's poor choice in hashing algorithm was also discussed during the Ubuntu forum breach. I'm also a member of those forums and I saw and participated in those hashing discussions.

So again the problem was a compromised elevated account and Arn provided the most sensible theory behind how it may've happened which had nothing to do with any hashing method.
I wasn't suggesting that hashing had anything to do with the vulnerability exploited to gain access. I am aware that the breach stemmed from elevated privileges on a moderator account with weak password. The problem is that once a database dump has been obtained by an attacker, poorly hashed and/or unsalted (in vBulletin's case, they're salted) passwords are more vulnerable to being uncovered using hashcat + password lists + rule sets. And if a database (not the MR database, I'm speaking generally) contains cleartext passwords, forget it. All accounts would be immediately vulnerable with no time for users to change their passwords.

Most of the posts admitting how some users re-use logins elsewhere are the faults of those users than it is MR's. It's not MR's responsibility to safeguard the carelessness/laziness of its users.
With this part, I 100% agree. I wish other computer users were more diligent about their security. My complaints are primarily in regards to vBulletin, not MacRumors.

Apologies in advance for my naivety.

Could someone please explain what the risk to a user is? What can the hacker do with the login info for a forum?

Cheers

The most vulnerable people are those who use the same password on other accounts, such as email, financial, medical, shopping, work, social networking accounts, or Apple ID (which can be used to locate and/or remote wipe a Mac or iOS device). An additional but smaller risk is private messages, because some of those inboxes and sent boxes contain information and conversation that was thought to be somewhat private, and some portion of it (however small) might be slightly sensitive.

Androiphone's explanation in the previous post is good, but to it I would add a link to my summary comparison of three password managers.
 
Last edited:
Apologies in advance for my naivety.

Could someone please explain what the risk to a user is? What can the hacker do with the login info for a forum?

Cheers

As long as you have changed your MR password, and changed *EVERY* website that has ever used the same MR password, you have zero to worry about. All the guy has is your email address. And if your password hash is ever cracked, he'll get a password you no longer, nor will you ever use. It's not like MR was storing your medical information to begin with. The hacker may know how many times you posted on MR.

So yeah, you have zero risk, provided that MR password you used has been nuked from online existence.

Also, this is why you should lie when it comes to security questions, and never use the same answer twice. One time you are born in Hawaii, the next time you are born in Denver, etc. One time your first car is a Ferrari, the next time it's a Buick, etc. For a long time, I've been using 1Password, which I use to keep track of all my security questions, etc. Basically everything having to do with my online identity, is encrypted with 1Password.

The best practice is to lie when submitting any information that will be used to unlock your account or require access should you get locked out yourself. Just keep track of all those security questions. I use 1Password and highly recommend it.
 
Also, this is why you should lie when it comes to security questions, and never use the same answer twice. One time you are born in Hawaii, the next time you are born in Denver, etc. One time your first car is a Ferrari, the next time it's a Buick, etc. For a long time, I've been using 1Password, which I use to keep track of all my security questions, etc. Basically everything having to do with my online identity, is encrypted with 1Password.

Another option (suggested by someone in a different MR thread) is to not even answer the security questions with real words. Instead, have 1PW generate a new long random string for each question and use that as your answer, and then store each question & answer pair in the 1PW notes field.
 
As long as you have changed your MR password, and changed *EVERY* website that has ever used the same MR password, you have zero to worry about. [...]
The best practice is to lie when submitting any information that will be used to unlock your account or require access should you get locked out yourself. Just keep track of all those security questions. I use 1Password and highly recommend it.

Another option (suggested by someone in a different MR thread) is to not even answer the security questions with real words. Instead, have 1PW generate a new long random string for each question and use that as your answer, and then store each question & answer pair in the 1PW notes field.

fwiw, i think it's also somewhat important to view those types of actions as stopgap solutions.. of course a user needs to be aware of internet dangers (or whatever) and take measures to protect themselves.. but at the same time, the best experience for a user would be no logging in / passwords at all.. go to a site and it recognizes you as well as protects you..

i think if we're at the point of using password managers in order to enter 4 passwords at a site (as in- the security questions are simply a means to get a user to enter more digits than they've done so in the normal password entry box.. it's meant to be a user friendly method for an added layer of security).
.then something else is broken in the setup other than password strength and whatnot.. the real solution lies beyond that realm.
 
I'm a computer science student with an understanding of relational databases, cryptography, and forum software code including vBulletin. I have administered, maintained, and modified forums and blog software before (admittedly on a far smaller scale, 20-30 users as I recall), and I understand what would be involved in the PHP and database modifications.

I've been working with cryptography probably before you were born (since you're a student currently) and am still in that field of profession and could elaborate on details of publicly known encryption and those of which you never heard of on the mathematics level, so I'm very aware of the inner workings of MD5, not just the tools used to implement or exploit them.

If some of the previous posts were to be assumed true where the malicious user was looking to pay someone to undo the hashes, it reveals that he's either unable to do it (due to a lack of assets/resources) or he doesn't know how. Even our facility doesn't compare to what we outsource in Canada, Japan, India, etc. so while we could do it, there are other better equipped facilities that can do it in significantly less time.

vBulletin doesn't offer a choice of hashing algorithms.
That's correct, it doesn't. vB wasn't designed to be the last word on secure forum access and participation, for that it makes better sense to simply create something proprietary then implement your choice of security controls along with it, however even with that comes unique challenges. The point being, discussing the merits and/or issues with vB is pointless here, it'd make more sense to take that discussion to the vB forums.

Not quite true. This same discussion of vBulletin's poor choice in hashing algorithm was also discussed during the Ubuntu forum breach. I'm also a member of those forums and I saw and participated in those hashing discussions.
It is absolutely true. There isn't a single post about hashing issues on MR's prior to the security breach. All hashing comments here (on MR's) are post-compromise.

I wasn't suggesting that hashing had anything to do with the vulnerability exploited to gain access. I am aware that the breach stemmed from elevated privileges on a moderator account with weak password. The problem is that once a database dump has been obtained by an attacker, poorly hashed and/or unsalted (in vBulletin's case, they're salted) passwords are more vulnerable to being uncovered using hashcat + password lists + rule sets. And if a database (not the MR database, I'm speaking generally) contains cleartext passwords, forget it. All accounts would be immediately vulnerable with no time for users to change their passwords.

I'm not challenging the issue on the ease (or difficultly) of compromising any form of encryption, as it's irrelevant towards the cause of the breach. In MR's case, hash compromise is/are the hazards associated after the actual cause, not the other way around. It would be like focusing your full attention on why the inside of a home was filled with flammable materials after an unauthorized person was able to gain access through a broken door and lit a fire.

Look at how your home is secured, there's usually not much more than a lock or two before gaining access to your home. So does that mean everyone out there should look into having their homes upgraded to bank vault level security, no it doesn't. There's a decision point where we need to determine what's sufficient for a particular situation. Being specific to the recent events, if MR's changed their policies about login/pass requirements for those with elevated access, would that be sufficient? I'd argue that it would be sufficient because if that's been the only vector of exploitation, whether MR's uses MD5, SHA1, SHA512, etc. would be close to meaningless. The hashing is there "in case" of unauthorized access.

To be clear, I'd retract my statements if MR's had a number of experiences with unauthorized access through elevated account exploitation regardless of what they did to strengthen the user/pass credentials.
 
Last edited:
I've been working with cryptography probably before you were born (since you're a student currently) and am still in that field of profession and could elaborate on details of publicly known encryption and those of which you never heard of on the mathematics level, so I'm very aware of the inner workings of MD5, not just the tools used to implement or exploit them.

I'm 27 (interest in computers began in '95 or '96) and have studied the inner working mathematics of some hashing algorithms and cryptographic ciphers. To be clear, I didn't bring that up to see who was more qualified than who, but because you were saying things like, "It's easy for a user to say what MR's should be doing and such..." and especially "This isn't like updating an app from the App Store." I'm assuming you meant from the downloader's perspective rather than the app developer's, so I was trying to show that I wasn't some typical end user with little to no knowledge of computer security or forum administration. That's all. Still, goal accomplished. We're both clear on where we're coming from now.

Given your background, what I still don't understand is why you said earlier that it wouldn't even bother you if MR stored the passwords in plaintext. Even though neither of us reuse passwords, forum software like vBulletin gets exploited all the time and new vulnerabilities are frequently found. We also see database breaches happening all the time with a variety of web sites. Therefore forum software developers should assume that breaches will happen and take measures to protect user data in the event that an attacker has offline access to a database dump. That means salted passwords hashed with something like bcrypt or scrypt (not "MD5, SHA1, SHA512, etc."). If passwords were in cleartext then all accounts would be immediately compromised. I don't understand why someone with your background would say they wouldn't care if passwords were stored in plain text. Even with a unique password isn't it a lot better to not have any of your accounts compromised, and to have time to change your password before someone can gain access?

Slinkwyde said:
vBulletin doesn't offer a choice of hashing algorithms.
Hyper-X said:
That's correct, it doesn't. vB wasn't designed to be the last word on secure forum access and participation [...]
To clarify, I wasn't complaining about vBulletin's lack of choice in hashing algorithms. I said that because you said, "If the point you're trying to make is to simply use the best method of password protection vB has to offer," which implies that vBulletin has multiple methods of password protection to choose from.

The point being, discussing the merits and/or issues with vB is pointless here, it'd make more sense to take that discussion to the vB forums.
True enough. I came to this thread to specifically make this post, but have since stuck around and responded to the ongoing discussion here.

It is absolutely true. There isn't a single post about hashing issues on MR's prior to the security breach. All hashing comments here (on MR's) are post-compromise.

I rarely visit MacRumors, so I was talking about the bigger picture. When the Ubuntu forums were breached, there was discussion in the Ubuntu subreddit, the Ubuntu forums, and on blogs about vBulletin's use of MD5. Despite all that, vBulletin's developers apparently did nothing. Maybe they'll do something this time now that the vBulletin forums have been breached.
 
Last edited:
Given your background, what I still don't understand is why you said earlier that it wouldn't even bother you if MR stored the passwords in plaintext. Even though neither of us reuse passwords, forum software like vBulletin gets exploited all the time and new vulnerabilities are frequently found. We also see database breaches happening all the time with a variety of web sites. Therefore forum software developers should assume that breaches will happen and take measures to protect user data in the event that an attacker has offline access to a database dump. That means salted passwords hashed with something like bcrypt or scrypt (not "MD5, SHA1, SHA512, etc.").

The reality is if you're willing to go outside the norm, you can implement any form of security method as long as you're willing to build the infrastructure from scratch. The obvious questions would be "why", "how much ___", and "who's going to support it", etc.

A careful analysis of the method of exploitation would be the best first step towards understanding how to protect yourself from it. "If" MR's had a long history of being exploited, then I agree that additional security would be beneficial.

I don't understand why someone with your background would say they wouldn't care if passwords were stored in plain text. Even with a unique password isn't it a lot better to not have any of your accounts compromised, and to have time to change your password before someone can gain access?

It's because when it comes to all forms of security, some degree of risk analysis/assessment has to be performed, whether it's a formal process (structured and detailed) or informal (in your head). My risk analysis of a compromise of someone getting a hold of my MR login info would result in nothing more than someone able to impersonate me on the forums. Having access to my bank account info and MR's login are on opposite ends in terms of the hazard potential for each compromise.

If MR login/pw is unique, email address not used for anything other than MR's with password different from the MR's login/pw, the residual risk towards the user is very low. A compromise with the user login doesn't compromise the email. Improving upon the hashing method (for example) would benefit very little to someone like this.

If the MR pw is shared with the registration email, the risk is much higher since changing the MR pw is still compromised through access to the email account.

If the MR login/pw is shared across other sites/services, the level of risk to the user depends on what those sites/services are. This is the most undesirable situation and the risk level is often very high.

Improving upon the hashing method would clearly indicate that it benefits those who are the careless type, who re-use login credentials elsewhere to perhaps include their email they used upon registration. It hardly benefits someone who already exercises good, secure habits.

To clarify, I wasn't complaining about vBulletin's lack of choice in hashing algorithms. I said that because you said, "If the point you're trying to make is to simply use the best method of password protection vB has to offer," which implies that vBulletin has multiple methods of password protection to choose from.

Fair enough. It seems we both didn't understand each other clearly.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.