Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / eBay hacked - change your password now

Author
Message
Seditious
10
Years of Service
User Offline
Joined: 2nd Aug 2013
Location: France
Posted: 22nd May 2014 02:32
Link
Surprised no one has mentioned it yet: http://metro.co.uk/2014/05/21/ebay-hack-128-million-told-to-change-password-after-major-cyber-attack-where-customer-details-were-stolen-4735660/
Back to top
Profile PM
Airslide
19
Years of Service
User Offline
Joined: 18th Oct 2004
Location: California
Posted: 22nd May 2014 07:54
Link
Just the latest in a long list eh?
Back to top
Profile PM Email
nonZero
12
Years of Service
User Offline
Joined: 10th Jul 2011
Location: Dark Empire HQ, Otherworld, Silent Hill
Posted: 22nd May 2014 09:43
Link
I think no one made a fuss because we're becoming anesthetised to it because it happens so often. Pretty much like everything else we no longer react to.

"Oh nonZero, let me tell you, I love you." -- Dark Java Dude 64, Vice-Kapitan of nASA(nonZero's Awesomeness-Spreading Association)
Back to top
Profile PM Email Website
Van B
Moderator
21
Years of Service
User Offline
Joined: 8th Oct 2002
Location: Sunnyvale
Posted: 22nd May 2014 12:55
Link
I'm amazed that these companies still store passwords... I mean there are ways to encode data so that it's not necessary to store the password in a raw state.

Like, take the username, and the password, and use the password as a key to encrypt the username. Then, store the results of that rather than the password. It means there's probably several possible passwords that will work, but they will only be found through brute force.
I use this very system in a purchase requisition approval system at work. Storing our passwords in some sorta SQL database is a joke, don't programmers think outside of the box these days?
I wonder if that's what happens when companies out-source their security systems, they get exactly what they ask for, which as anyone who has ever written bespoke software will tell you is never enough.

I am the one who knocks...
Back to top
Profile PM Email
BatVink
Moderator
21
Years of Service
User Offline
Joined: 4th Apr 2003
Location: Gods own County, UK
Posted: 22nd May 2014 15:33
Link
Or simply store only the encrypted version of the password. You don't need to save any password at all, if somebody forgets it then they have to create a new one.

ten-net consulting limited
Back to top
Profile PM Email
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 23rd May 2014 05:56 Edited at: 23rd May 2014 05:58
Link
Quote: ""hackers broke into a database containing encrypted passwords, names, email and home addresses, phone numbers and dates of birth.""


Yeah just because it's encrypted doesn't mean it's secure. A simple algorithm where the password is encrypted based on some other account detail is extremely easy to figure out and crack. If they have access to the database they could easily have access to the encryption keys. Still, one would hope they are stored outside of the database.

Passwords are limited in length. For passwords, they are usually one-way hashed but you can simply brute force the majority of them.

Back to top
Profile PM Email Website
BiggAdd
Retired Moderator
19
Years of Service
User Offline
Joined: 6th Aug 2004
Location: != null
Posted: 23rd May 2014 11:46
Link
I always cringe when I tell a website that I've forgotten my password and it sends me it in an email in plain text.

I still can't believe in this day and age people still store passwords like that. Its just bad software design.

Back to top
Profile PM
nonZero
12
Years of Service
User Offline
Joined: 10th Jul 2011
Location: Dark Empire HQ, Otherworld, Silent Hill
Posted: 23rd May 2014 11:59 Edited at: 23rd May 2014 12:01
Link
How about this: Server should never store the key or login details. Rather the key is derived from the name and pass that could be used either way around with one of three possible algorithms each. The server can run through that quickly if given the correct details but brute force is completely infeasible since it's now costing (usr*3)^(pass*3) where usr and pass are charset^len each and 3 represents the number of possible schema. Would still be quick with the right pass and usr (2(3^3) = 54) but slow with bruting. This is assuming the attacker knows what algorithms are in use.

...Of course these days it's most often the user who endangers their security. Most attacks are trickery or "socially-engineered" these days: fake login pages, apps that have hidden keyloggers, etc.

Edit: Can't believe I had to correct my maths again.

"Oh nonZero, let me tell you, I love you." -- Dark Java Dude 64, Vice-Kapitan of nASA(nonZero's Awesomeness-Spreading Association)
Back to top
Profile PM Email Website
BatVink
Moderator
21
Years of Service
User Offline
Joined: 4th Apr 2003
Location: Gods own County, UK
Posted: 23rd May 2014 15:40 Edited at: 23rd May 2014 15:42
Link
Quote: "I always cringe when I tell a website that I've forgotten my password and it sends me it in an email in plain text."


If you get it in that format the you can't use the same password anywhere else. Anyone with database access can steal the details and probably without trace.

When you create a password it should be encrypted and sent to the data access tier (on another server). When verifying a logon, the business tier should send the entered password, it gets encrypted and if it matches the same encryption string on the database record return success. This way, the password is never stored.

A 9-letter password would take up to 134,217,700,000,000,000 attempts by brute force. The biggest problem is allowing users to have a password like "password123". This allows the hacker to find a definitive password in a large database of password samples much more quickly. If we all had passwords like "Wjyv6R%,0" then every attempt would have to be verified by the server (and the hacking attempt swiftly caught) because it would not be immediately recognisable as a valid decryption. Of course there is then the problem of remembering "Wjyv6R%,0"

ten-net consulting limited
Back to top
Profile PM Email
Green Gandalf
VIP Member
19
Years of Service
User Offline
Joined: 3rd Jan 2005
Playing: Malevolence:Sword of Ahkranox, Skyrim, Civ6.
Posted: 23rd May 2014 17:12
Link
Quote: "Of course there is then the problem of remembering "Wjyv6R%,0""


I'm having increasing difficulty remembering the passwords I'm forced to create in order to satisfy the increasingly varied rules enforced by websites.



Powered by Free Banners
Back to top
Profile PM Email
Seditious
10
Years of Service
User Offline
Joined: 2nd Aug 2013
Location: France
Posted: 23rd May 2014 17:50 Edited at: 23rd May 2014 17:50
Link
Quote: "I'm having increasing difficulty remembering the passwords I'm forced to create in order to satisfy the increasingly varied rules enforced by websites. "


Store them in a book by your computer.
Back to top
Profile PM
Green Gandalf
VIP Member
19
Years of Service
User Offline
Joined: 3rd Jan 2005
Playing: Malevolence:Sword of Ahkranox, Skyrim, Civ6.
Posted: 23rd May 2014 18:43
Link
I never write passwords down. Besides, who wants to carry a book around with them?

And it would have to be a big book given the rate at which these forced password changes happen.



Powered by Free Banners
Back to top
Profile PM Email
Seditious
10
Years of Service
User Offline
Joined: 2nd Aug 2013
Location: France
Posted: 23rd May 2014 19:24
Link
Coincidentally I just received an e-mail from SourceForge about them changing how their passwords are stored:

"To make sure we're following current best practices for security, we've
made some changes to how we're storing user passwords. As a result, the
next time you go to login to your SourceForge.net account, you will be
prompted to change your password. Once this is done, your password will be
stored more securely. We recommend that you do this at your earliest
convenience by visiting the SourceForge website and logging in."

Quote: "Besides, who wants to carry a book around with them?"


You don't have to, it's just handy to keep a reference somewhere (ie. in your home) in case you completely forget.
Back to top
Profile PM
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 24th May 2014 00:36
Link
Quote: "I always cringe when I tell a website that I've forgotten my password and it sends me it in an email in plain text.

I still can't believe in this day and age people still store passwords like that. Its just bad software design"


That's not necessarily bad design. A hash is only mildly more secure than an encryped password. If done correctly, it can be *more* secure than a hash. I'd take an ecdsa encrypted password over an md5 hash any day of the week.

Guys, storing your password hashed based on your username is no more secure than storing a password hash. To crack your password the hacker does no extra work, the cracker can easily figure out how a password is put together. Consider that the hacker has a known password in the DB, he can figure out within minutes how your password is hashed in the DB. If he has no known password, then he has to spend a couple more minutes using crazy techniques you'd have to spend days figuring out.

Once a hacker has the database, the game is over.

https://www.usenix.org/legacy/events/usenix99/provos.html

Why hash at all? Why lock your door at all?

Back to top
Profile PM Email Website
Green Gandalf
VIP Member
19
Years of Service
User Offline
Joined: 3rd Jan 2005
Playing: Malevolence:Sword of Ahkranox, Skyrim, Civ6.
Posted: 24th May 2014 13:37
Link
Quote: "Why hash at all? Why lock your door at all?"


Not sure what you mean there.

On a vaguely related side note, when I lived in the London area our house was burgled three times. On each occasion the main loss was the damage done to the doors, windows and locks used to gain entry. In my first few years in my own home I never used to lock the back door (I was always mislaying the key - some things don't change ). We were never burgled during that time (as far as I know ). It was only when we started locking everything (at the request of insurers) that we experienced burglaries.

Perhaps an unlocked house suggests it might be occupied or that the owner is nearby and therefore it's not safe for a casual burglar to enter. The psychology of "security" is an arcane science in itself.



Powered by Free Banners
Back to top
Profile PM Email
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 24th May 2014 14:57 Edited at: 24th May 2014 14:59
Link
Quote: "Not sure what you mean there."


I mean, once your DB is lost, the game's over. So why encrypt it at all? Just to slow them down a little bit. The best method of doing so isn't some convoluted salting scheme or obscurity system, it's hashing the password 50,000 times using the best known hashing methods so that a single 6 digit password takes ages to unhash.

Quote: "Perhaps an unlocked house suggests it might be occupied or that the owner is nearby and therefore it's not safe for a casual burglar to enter. "


I used to leave my house unlocked and then one day, nothing at all but my Gameboy went missing. I've locked my house ever since!

Back to top
Profile PM Email Website
Green Gandalf
VIP Member
19
Years of Service
User Offline
Joined: 3rd Jan 2005
Playing: Malevolence:Sword of Ahkranox, Skyrim, Civ6.
Posted: 24th May 2014 18:29
Link
Quote: "I used to leave my house unlocked and then one day, nothing at all but my Gameboy went missing. I've locked my house ever since!"


Sounds like a good reason.



Powered by Free Banners
Back to top
Profile PM Email
Indicium
15
Years of Service
User Offline
Joined: 26th May 2008
Location:
Posted: 24th May 2014 19:13
Link
Quote: "Guys, storing your password hashed based on your username is no more secure than storing a password hash."


I disagree, he has to create new rainbow tables for each user this way.


They see me coding, they hating. http://indi-indicium.blogspot.co.uk/
Back to top
Profile PM
BiggAdd
Retired Moderator
19
Years of Service
User Offline
Joined: 6th Aug 2004
Location: != null
Posted: 24th May 2014 20:05
Link
Quote: "That's not necessarily bad design. A hash is only mildly more secure than an encryped password. If done correctly, it can be *more* secure than a hash. I'd take an ecdsa encrypted password over an md5 hash any day of the week.

Guys, storing your password hashed based on your username is no more secure than storing a password hash. To crack your password the hacker does no extra work, the cracker can easily figure out how a password is put together. Consider that the hacker has a known password in the DB, he can figure out within minutes how your password is hashed in the DB. If he has no known password, then he has to spend a couple more minutes using crazy techniques you'd have to spend days figuring out.

Once a hacker has the database, the game is over.

https://www.usenix.org/legacy/events/usenix99/provos.html

Why hash at all? Why lock your door at all?"


I don't really agree with this. For instance, on our servers we don't store our encryption keys anywhere on the database.

I think its fair to say that if a hacker gained access to your PHP/ASP server then its game over, but even then there are methods to try and hide your encryption method away where they can't easily find it (for instance, not in your public html folder).

For our system, we use a combination of various parts of the user's information as well as a very large random string of characters. We jumble all that information together and then use a one way encryption. We even one way encrypt parts of the tokens we jumble together.

I would agree just doing something like MD5 isn't enough. You have to be a bit more cunning that that.

Back to top
Profile PM
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 24th May 2014 20:07 Edited at: 24th May 2014 20:09
Link
You'd use a random string, not a username. A username is not going to be randomized enough, secure enough, etc.

https://crackstation.net/hashing-security.htm#salt

Back to top
Profile PM Email Website
BiggAdd
Retired Moderator
19
Years of Service
User Offline
Joined: 6th Aug 2004
Location: != null
Posted: 24th May 2014 20:16
Link
I just said that! You silly goose.

Quote: "For our system, we use a combination of various parts of the user's information as well as a very large random string of characters."


Back to top
Profile PM
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 24th May 2014 20:16 Edited at: 24th May 2014 20:18
Link
Quote: "For our system, we use a combination of various parts of the user's information as well as a very large random string of characters. We jumble all that information together and then use a one way encryption. We even one way encrypt parts of the tokens we jumble together."


I'd very possibly have access to all of that if I gained access to your database. If you're not randomizing the salt for every user and rehashing the same value a few thousand times your efforts are being wasted.

Quote: "I just said that! You silly goose."


Yeah but you didn't specify if it was random for every user or not!

Back to top
Profile PM Email Website
BiggAdd
Retired Moderator
19
Years of Service
User Offline
Joined: 6th Aug 2004
Location: != null
Posted: 24th May 2014 20:22 Edited at: 24th May 2014 20:26
Link
We don't have to have a random salt for each user, as we combine the salt with information that is unique to the user and some additional data, so no two passwords hashes are ever the same.

Also our salt isn't stored in the database, with the user record. Its tucked away behind a lot of locked doors (including the specific algorithm we use). You won't find it in our public html.

Back to top
Profile PM
easter bunny
11
Years of Service
User Offline
Joined: 20th Nov 2012
Playing: Dota 2
Posted: 26th May 2014 08:42
Link
Just a quick tip on choosing passwords for random sites.
Decide a base password (something random like foob4r!2# would do), and for each site, modify it in a certain way according the Domain Name. ie, for sourceforge, you might have foob4rsf!2#, for FaceBook, you'd have foob4rfb!2# etc
Then nobody will be able to guess your password except you
I don't recommend you use this for your more important passwords, but for any old site which you need to sign up for, this'll do


Audacia Games - Latest WIP - AUTOMAYTE 2.1, AppGameKit one click deploy to Android
"When you've finished 90% of your game, you only have 90% left"
Back to top
Profile PM Email
Van B
Moderator
21
Years of Service
User Offline
Joined: 8th Oct 2002
Location: Sunnyvale
Posted: 26th May 2014 12:51
Link
Sometimes it's best to err on the side of caution?...

Like, an internal system - I wouldn't 100% rely on any database systems built in encryption, I'd make my own system. Surely the toughest system to crack is one that is obfuscated and rare, one that does unusual and unexpected things, because it's not a copy of or based on an existing encryption system.
The purchase requisition system at work for example, I wouldn't want a managers password to be recoverable, and it would be if I used the built in encryption. Now the password field is actually just a number, and that number is generated from the username and password. I have thrown down the gauntlet here before, asking people to try and crack it, but nobody did, so I'm happy

On a darker note - lock your damn doors people.

I left my front door unlocked one night by accident, and was awoken to 2 chav's beating the crap out of me. Lock those doors, you don't know what people get up to while you sleep. People will try doors to see if they are locked or not, don't make it easy for them... hell, how easy would it be to find your car keys, or your iPad, or your mobile phone?
How would you explain your unlocked door to the insurance company and police?

I am the one who knocks...
Back to top
Profile PM Email
TheComet
16
Years of Service
User Offline
Joined: 18th Oct 2007
Location: I`m under ur bridge eating ur goatz.
Posted: 26th May 2014 15:49
Link
Why are we talking about MD5? That's a terrible choice for security because it's low cost to compute. No website should have MD5 implemented for hashing sensitive data, even if it's salted.

Quote: "it's hashing the password 50,000 times using the best known hashing methods so that a single 6 digit password takes ages to unhash."


You can't just "unhash" a hashed password. If its salted, rainbow tables and other forms of reverse look-ups are completely useless. And even if the hacker figures out what one of the passwords was (through brute force), you can't predict a cryptographic RNG.

In other words, if the service is implemented correctly, there's no way you can break in.

Your mod has been erased by a signature
Back to top
Profile PM Email Website
nonZero
12
Years of Service
User Offline
Joined: 10th Jul 2011
Location: Dark Empire HQ, Otherworld, Silent Hill
Posted: 26th May 2014 19:49 Edited at: 26th May 2014 19:50
Link
Quote: "hell, how easy wouldit be to find your car keys, or your iPad, or your mobile phone?"

My mom bought a 2nd-hand cellphone some years back. She had it less than a week and some **** stuck their hand through her window and nicked it off her bedside table while she was sleeping (In RSA we have hot summer nights, especially in modern places with low ceilings). So yes, I agree, always lock your doors and get an AC or a fan if you live in a hot country. Nothing's safe from criminals these days. They even steal bedding from the state hospitals.
Btw, sorry to hear you got attacked, Van, must've been horrible.

"Oh nonZero, let me tell you, I love you." -- Dark Java Dude 64, Vice-Kapitan of nASA(nonZero's Awesomeness-Spreading Association)
Back to top
Profile PM Email Website
Wolf
16
Years of Service
User Offline
Joined: 8th Nov 2007
Location: Luxemburg
Posted: 27th May 2014 02:32
Link
Quote: "I left my front door unlocked one night by accident, and was awoken to 2 chav's beating the crap out of me."


A night to remember Care to give us some more details on this?

Quote: "Nothing's safe from criminals these days"


To what time are people referring when they say "these days"...what days where better. The 60's, 70's? Definately not the 40's or anything in the past centuries...ah! wait... Nobody cares about my musing on this.



-Wolf

"When I contradict myself, I am telling the truth"
"absurdity has become necessity"
Back to top
Profile PM Email Website
Quik
15
Years of Service
User Offline
Joined: 3rd Jul 2008
Location: Equestria!
Posted: 27th May 2014 18:02
Link
"these days" in that case is indeed quite silly - since nothing's ever been safe from criminals



Whose eyes are those eyes?
Back to top
Profile PM
BiggAdd
Retired Moderator
19
Years of Service
User Offline
Joined: 6th Aug 2004
Location: != null
Posted: 27th May 2014 18:36
Link


Back to top
Profile PM
Van B
Moderator
21
Years of Service
User Offline
Joined: 8th Oct 2002
Location: Sunnyvale
Posted: 29th May 2014 10:09
Link
The 'home invasion' incident was 2 idiots looking for someone who'd stolen something from their aunt, and because my door was unlocked they assumed it must be me - because thieves tend to leave their door unlocked (must have irony insurance or something).
Luckily I live with my brother, or it would have ended much worse I'm sure. I know people who have had far worse 'home invasions', I got off pretty lightly with just a burst lip and nose.

I am the one who knocks...
Back to top
Profile PM Email
Seditious
10
Years of Service
User Offline
Joined: 2nd Aug 2013
Location: France
Posted: 31st May 2014 14:08
Link
Quote: "The 'home invasion' incident was 2 idiots looking for someone who'd stolen something from their aunt, and because my door was unlocked they assumed it must be me - because thieves tend to leave their door unlocked (must have irony insurance or something)."


That's terrible. I hope they were brought to justice.

Your signature has been erased by a mod
Back to top
Profile PM
Chris Tate
DBPro Master
15
Years of Service
User Offline
Joined: 29th Aug 2008
Location: London, England
Posted: 31st May 2014 17:09
Link
Quote: "The 'home invasion' incident was 2 idiots looking for someone who'd stolen something from their aunt, and because my door was unlocked they assumed it must be me - because thieves tend to leave their door unlocked (must have irony insurance or something).
Luckily I live with my brother, or it would have ended much worse I'm sure. I know people who have had far worse 'home invasions', I got off pretty lightly with just a burst lip and nose."


If that happened to me I would probably be dead; although I do sleep next to my hidden baseball bat; I have never played baseball in my life

Back to top
Profile PM Email Website
BatVink
Moderator
21
Years of Service
User Offline
Joined: 4th Apr 2003
Location: Gods own County, UK
Posted: 31st May 2014 17:58
Link
I once headed down the stairs in the middle of the night with the loft hatch pole in hand, ready to confront whoever was looting through my dining room. One of the most frightening experiences of my life, and I came head to head with the intruder.

It was a cat
I don't own a cat, it had come in during the day and got locked in, then started to panic.

ten-net consulting limited
Back to top
Profile PM Email
Dark Java Dude 64
Community Leader
13
Years of Service
User Offline
Joined: 21st Sep 2010
Location: Neither here nor there nor anywhere
Posted: 31st May 2014 19:29
Link
Quote: "then started to panic."
Lol, considering how crazy cats go when they panic, I'm sure it was creating a myriad of disheartening noises before you approached...

Back to top
Profile PM Website
Green Gandalf
VIP Member
19
Years of Service
User Offline
Joined: 3rd Jan 2005
Playing: Malevolence:Sword of Ahkranox, Skyrim, Civ6.
Posted: 1st Jun 2014 00:33
Link
Quote: "then started to panic"


Who? You or the cat?



Powered by Free Banners
Back to top
Profile PM Email
nonZero
12
Years of Service
User Offline
Joined: 10th Jul 2011
Location: Dark Empire HQ, Otherworld, Silent Hill
Posted: 4th Jun 2014 21:23
Link
Quote: "To what time are people referring when they say "these days"...what days where better. The 60's, 70's? Definately not the 40's or anything in the past centuries...ah! wait... Nobody cares about my musing on this."


Quote: ""these days" in that case is indeed quite silly - since nothing's ever been safe from criminals"


Indeed! nonZero is such an idiot some times. Honestly, comparing the view he had of the world as a child (good, clean) to now (bad, filthy)! Although, to be fair, despite spending his teen years in a rough neighbourhood, he never once experienced such a brazen act as sticking one's hand through another's bedroom window while that person was in the room... I guess that's how he felt at the time of posting. It does not make sense. Then again, when does nonZero ever make sense.

Cheers,
Zero

Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2024-04-20 05:48:36
Your offset time is: 2024-04-20 05:48:36