goddamnit slapped my email into leakedsource.com
https://www.leakedsource.com/
Search completed in: 0.7102 seconds.
Linkedin.com has: 1 result(s) found. This data was hacked on approximately 2012-06-05 00:00:00 What is in this database?
VerticalScope Network (Vbulletin) (939 Websites) has: 1 result(s) found. This data was hacked on approximately 2016-02-01 00:00:00 What is in this database?
Dodonew.com (Chinese) has: 1 result(s) found. This data was hacked on approximately 2012-01-01 00:00:00 What is in this database?
Gawker has: 1 result(s) found. This data was hacked on approximately 2010-12-01 00:00:00 What is in this database?
Anandtech.com has: 1 result(s) found. This data was hacked on approximately 2016-03-15 00:00:00 What is in this database?
Like I said, Anandtech was hacked back in March, and everyone's password was likely taken. No biggie, right? This password grants a hacker access to nothing.
I don't blame them for not knowing it occurred at the time. But the data was unequivocally shown to be public yesterday, and the response since then has been wholly inadequate. They covered it up for almost 24 hours and then posted a forum announcement that was frankly deceptive. They claimed password encryption, which is false by anyone's definition. They claimed that because of the "encryption" no passwords were revealed. They presumably base this on the fact that only the hashes exist in the database, but they knew yesterday that a high percentage of those md5 hashes have already been cracked. I say "high percentage" because of the fact that a large percentage of the mod accounts were proven to be cracked, and since the attackers had no practical way to target specifically mod accounts that can be taken as an approximation of how many of the accounts were cracked.
I'll say it again: your AT email address and password HAVE BEEN CRACKED, so change your password here, and anywhere else that you used that email and password combination.
....You joke, but...Your passwords are stored in a shared text file on DropBox. That's how you can access the forums from many internets.
Guessing it uses MD5 + a salt, but never really played with vB.
Personally anything I code that's web based that uses a login that's usually what I do, there is absolutely zero reason to store plain text passwords. Though I have not coded anything in a while. Now days I'd probably use SHA256 whatever is considered the best after some research. MD5 is still better than nothing though, as it will buy you/your users time to change passwords that have been reused on other sites. Ex: forum gets hacked, you advise your users to immediately change their passwords if they use it on other sites. If you/they act fast enough the hacker may not have finished doing a dictionary/rainbow table etc attack yet.
You want to use SHA-512, unless 1028 is out yet (been a few years, don't know if its usable yet).
You are the second person now that I have seen with that.Interesting, I went to change my password and found that my account email address is pointing to an email address that I've never had.
That's still a fast hash. Pbkdf2 or bcrypt for the win.
The LinkedIn breach was quite public when that occurred, and they even sent emails out to all members about it.
Like I said, Anandtech was hacked back in March, and everyone's password was likely taken. No biggie, right? This password grants a hacker access to nothing.
With iterative hashing, speed doesn't make a difference (iirc PBKDF2 is just iterative hashing/key stretching using an underlying method like SHA-512?). IIRC back when I was researching it several years ago, SHA-512 HMAC was always the best solution for ultimate control and security, if you didn't mind rolling your own iterative hashing / key stretching (both not too difficult to do) -- might have been something related to the output length
Yeah but that's the point. You don't want to write your own key stretching algorithm, or really reinvent the wheel anywhere else in this area. So pbkdf2 or bcrypt.
Sure you do (well, maybe you don't, but you could is my point). It actually is very easy once you understand it (and it doesn't take a lot to understand once you start looking into it, really, it doesn't). Like, just running a function in a loop kind of easy.
That being said, I'll note that I don't suggest someone tries to create their own hashing algorithms (ie: I'm not suggesting to do something like make Markbnj-512 to replace SHA-512). Doing so would be ultra-advanced specialty territory. Just that the additional standards are thing you could implement yourself if you wanted without much difficulty.
It just really depends on the level of customization you want, honestly. Are the existing functions like PBKDF2 sufficient to cover things that you would otherwise have to roll-your-own on? Sure. Is that as much fun or give you as much customization or security that you want? Not to me
oh cool, it's single sign on for the whole interweb
Gawker was pretty big too. That whole database was immediately released on public torrents. Googling my username would show my plaintext password in the Google search results before I even click anything.