Oolite Bulletins

For information and discussion about Oolite.
It is currently Sun Jul 23, 2017 6:42 am

All times are UTC




Post new topic  Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Sat Jan 08, 2011 12:29 pm 
Offline
Grand Admiral Emeritus
Grand Admiral Emeritus
User avatar

Joined: Sat Apr 02, 2005 2:43 pm
Posts: 6657
Location: Sweden
As you may know, the Oolite Bulletin Board was hacked on New Year's Eve. We are now seeing indications that passwords may have been compromised We strongly recommend that you change your password on the Oolite Bulletin Board. If you use the same password for anything else, especially the e-mail account associated with your BB profile, change the password for that, too.

As a general note, it’s a good idea to use separate passwords for valuable things like your main e-mail account rather than using one password for everything.

To change your password on the Oolite Bulletin Board, log in and go to the Edit Account Settings page. (Alternatively, select User Control Panel fro the top right of the page. Under Options on the left hand side, select Profile and then Edit account settings.)

Enter a new password twice where prompted, and your old password below that, then click Submit. The next time you log in, you will need to use your new password.


Top
   
PostPosted: Sat Jan 08, 2011 12:37 pm 
Offline
Above Average
Above Average

Joined: Thu Oct 15, 2009 3:07 am
Posts: 16
Sorry to be negative, but how do I remove my account? I can't have a risk like this :(


Top
   
PostPosted: Sat Jan 08, 2011 12:43 pm 
Offline
Grand Admiral Emeritus
Grand Admiral Emeritus
User avatar

Joined: Sat Apr 02, 2005 2:43 pm
Posts: 6657
Location: Sweden
There doesn’t appear to be a way to remove your own account. We could do it for you if you really want, but that would leave your posts orphaned; a possibly better solution would be to set your password to something random.

Of course, if you then remember the random password, you’ll be able to use the BB without any risk whatsoever to other accounts. :-)

_________________
E-mail: jens@oolite.org


Top
   
PostPosted: Sat Jan 08, 2011 3:25 pm 
Offline
Intergalactic Spam Assassin
Intergalactic Spam Assassin
User avatar

Joined: Thu Dec 14, 2006 9:08 am
Posts: 9520
Location: a Hacker Outpost in a moderately remote area
Thanks for the warning!

I am changing right now (especially on a completely unrelated, but very sensitive site where I used the same password as well).

_________________
The Story — The Career — The OXPs


Top
   
PostPosted: Sat Jan 08, 2011 3:35 pm 
Offline
Above Average
Above Average

Joined: Thu Oct 15, 2009 3:07 am
Posts: 16
Do we know the extent of the hack? Were E-Mail addresses obtained?


Top
   
PostPosted: Sat Jan 08, 2011 3:52 pm 
Offline
Retired Assassin
Retired Assassin
User avatar

Joined: Tue Feb 09, 2010 11:31 am
Posts: 8270
Location: Disunited Kingdom
OK so I've changed my password. So how great is the danger. Like most people I don't use my 'real' name here so if some git has got my (old) password they can surely only relate it to my Oolite persona. My email accounts all have unique passwords so should be safe.
However as Smivs i do have a wide web presence, and presumably some of these accounts (eg Smivs' Slashdot account) might be at risk. Is that right?
None of my sensitive personal accounts (eg Bank) are in the name of Smivs and none use the compromised password, so I'm assuming I am quite safe from this angle.
Sorry if this sounds naive, but I've not really been in this situation before.

_________________
Commander Smivs, the friendliest Gourd this side of Riedquat.


Top
   
PostPosted: Sat Jan 08, 2011 4:45 pm 
Offline
Master and Commander
Master and Commander
User avatar

Joined: Thu May 20, 2004 10:46 pm
Posts: 1148
Location: London UK
We don't know if the database was accessed.

We think it may have been accessed because at least one user here has reported that since the attack on the site their webmail has been hacked and that they used the same password to access their webmail as they do to access this site. At the moment I am aware of this only happening to one user.

If the database was accessed, then your usernames, email addresses and an MD5 hash (a fairly complex encryption) of your passwords could have been revealed.

If you don't use the same password at another site, your access there will remain as secure as it ever was. If you use the same password and email address at a different site you are advised to change it. Once you have changed your password there then your access there will be as secure as that site chooses to make it.


FWIW the software this board runs on (phpBB3) is regarded as being very secure, and the MD5 hashes of passwords stored here are regarded as being difficult to crack. That said, you are more at risk if you use a simple password, and particularly a short one. And because other boards and sites may not be as secure, again, please don't reuse your other passwords.

_________________
"The planet Rear is scourged by well-intentioned OXZs."

Oolite models and gear? click here!


Top
   
PostPosted: Sat Jan 08, 2011 5:15 pm 
Offline
Grand Admiral Emeritus
Grand Admiral Emeritus
User avatar

Joined: Sat Apr 02, 2005 2:43 pm
Posts: 6657
Location: Sweden
If you habitually use the same password on different sites, and especially if you use the same password for your e-mail as everything else (since web site accounts tend to have e-mail addresses associated with them), the odds that your password will eventually be compromised are very high.

If they did access the database, they got salted hashes of passwords for 2000ish users. It isn’t possible to convert those hashes back to passwords, but what you can do is hash a lot of test passwords in the same way and see if any of the hashes you saw turn up. Normally this is done starting with a list of common passwords. If your password is “swordfish”, it will be found very quickly. If it’s 50 random letters, it is extremely unlikely that it would ever be found.

Doing this for a mere 2000 accounts doesn’t seem particularly worthwhile, but that doesn’t mean no-one would do it.

_________________
E-mail: jens@oolite.org


Top
   
PostPosted: Sat Jan 08, 2011 7:17 pm 
Offline
Pirate
Pirate
User avatar

Joined: Mon Sep 27, 2004 10:21 pm
Posts: 731
Location: Port St. Mary, Isle of Man
Quote:
If the database was accessed, then your usernames, email addresses and an MD5 hash (a fairly complex encryption) of your passwords could have been revealed.
The biggest risk is if you have a password that's in the dictionary. You can crack MD5 passwords by running a simple dictionary attack, compare the MD5 sum of each dictionary word you try with the MD5 sum in the database you saved off.

If your password looks like "alksfIOH(T98&\0fdhf¨*-" it probably won't get compromised. (However, MD5 passwords can be brute forced, but it's probably not worth the cracker's effort when I bet at least 75% of the passwords are crackable by a dictionary attack, and probably a reasonable proportion are things like "password" or "passw0rd" or something similar.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 9 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
cron
Powered by phpBB® Forum Software © phpBB Limited