Change your passwords on other websites | An update on the Boards.ie Data Incident.

Darragh

Hi all,

We'd like to remind all readers and members of Boards.ie to change their passwords on their other online accounts if they haven't already.

For those who aren't aware, in January 2010 our database was attacked by a source external to Ireland and the part that contains member details was accessed. You can read a fuller report on this here: http://www.boards.ie/vbulletin/showthread.php?t=2055806686

We once again would like to remind you that it is very important to check your other accounts online. We have already reset the passwords on all Boards.ie member accounts.

Please note, we do not have any access to or note of your previous password - we can't tell you what that was unfortunately!


If you used the same email address and password on any other website - Facebook, Bebo, Paypal, Google, gambling sites or any other online service - as you did on Boards.ie, please change that password.


We are, of course, very sorry for the inconvenience this may cause people but it's better than having your personal data in the hands of people who might want to use it for their own gain.

It's very good practise to have different passwords for different services. We understand that this may not be easy but your data is valuable and that's why we have worked hard to prevent anything like this happening with Boards.ie in the future.

We'd like you to know:

• The information accessed in the attack had no bank account/credit card details nor any postal address details.
• It included your Boards.ie member account number, username, password, email address, IP address, last activity time, last post time and, if you had filled them in your Boards.ie profile details - your birthdate, icq address, yahoo ID etc.
• We feel it safer to advise you to change your passwords though, to ensure people cannot access any of your other accounts where personal or financial data may be stored.
• If you have already changed your Boards.ie password since January 21, 2010, you will not need to do anything about your membership here.
• If you need to change your Boards.ie password, you can do so at http://www.boards.ie/changepassword
• If you no longer have access to the email address you used to register with Boards.ie, please see this thread: http://www.boards.ie/vbulletin/showthread.php?t=2055811075
• You can post any questions or feedback below or contact us at hello@boards.ie and we will endeavour to get back to you as soon as possible.

Thanks for your continued support - your patience, help and understanding over the last 3 months have made the job a lot easier

Darragh on behalf of the Boards.ie team.

hobbit stomper

Are the Passwords saved with MD5, SHA1 or SHA1 + Salt?

EDIT:
Let me rephrase, back in January, what hash was used to save the password in the SQL Database? And what hash are you using now?

LINGsCARS

Were the passwords not encrypted? Storing plain text passwords is a massive breach of security and very bad practice.

Can someone clarify?

Ling

Conor

hobbit stomper wrote: »

Are the Passwords saved with MD5, SHA1 or SHA1 + Salt?

The method used is the standard vBulletin one:

MD5($salt . MD5($password));

The salt is in the same table as the hash though.

LINGsCARS wrote: »

Were the passwords not encrypted? Storing plain text passwords is a massive breach of security and very bad practice

We do not and did not store plaintext passwords.

LINGsCARS

Thanks for the clarification.

Think it would have been better to explain that in the original notification email.

Conor

LINGsCARS wrote: »

Thanks for the clarification.

Think it would have been better to explain that in the original notification email.

TBH, it's only really of interest (and understandable) by a very small proportion of our users. Explaining those kinds of things in a general e-mail is usually a bad idea as it introduces more confusion than is necessary.

hobbit stomper

Conor wrote: »

The method used is the standard vBulletin one:

MD5($salt . MD5($password));

The salt is in the same table as the hash though.

Cool at least something. Even if the salt is in the same table, it's still as good as impossible to read the password via rainbow tables.

MD5 alone is almost useless nowadays thanks to all the rainbow tables. I actually had a 12 digit alpha-numerical password and I was shocked to find the hash on one of the rainbow table websites.

Well, unless your password is 123456 it's almost impossible for the hacker to actually get to your password. So it's not that big of a deal.

Next step: SHA1($salt . SHA1($password)); + separate table for salt.

woman

I would like to do what you suggest and change the passwords on other sites, but my problem is I don't remember what password I had on boards.ie, I was permanently logged on and didn't write it down anywhere. Is there any way you could tell me what my original password was? thanks

hobbit stomper

woman wrote: »

I would like to do what you suggest and change the passwords on other sites, but my problem is I don't remember what password I had on boards.ie, I was permanently logged on and didn't write it down anywhere. Is there any way you could tell me what my original password was? thanks

There is no way to tell you the original password since everything is hashed. Just use the lost password option and enter your E-Mail address. After verifying your E-Mail address a new password will be sent to you.

LINGsCARS

Conor,

But what you are now doing to avoid "confusion" is putting the fear of God into people like "woman" and giving advice on what people should do with their other passwords (on dozens of other sites), that, frankly is nothing to do with boards.ie.

You are giving advice that everyone should have different passwords on every site, yet you don't think to explain the risk of the passwords here being decoded (very tiny I think).

Woman actually makes a good point - if she doesn't know the password that is at a tiny risk of being compromised, how does she know which ones to change? Ah, so your advice is to change EVERY password she has? That is not really practical.

In fact, it seems from your answer that the risk of anyone finding the passwords from the stolen database is very low (if not virtually nil).

What you have done by avoiding "confusion" and not explaining the encryption... is removed the context of the stolen passwords making it hard for anyone to make a value judgement. Everyone will probably react to your notice and presume their password is out there for the world to see. Really, that is quite unlikely given your answer.

You are giving partial advice. Nit.

Ling

Darragh

LINGsCARS wrote: »

Conor,

But what you are now doing to avoid "confusion" is putting the fear of God into people like "woman" and giving advice on what people should do with their other passwords (on dozens of other sites), that, frankly is nothing to do with boards.ie.

You are giving advice that everyone should have different passwords on every site, yet you don't think to explain the risk of the passwords here being decoded (very tiny I think).

Woman actually makes a good point - if she doesn't know the password that is at a tiny risk of being compromised, how does she know which ones to change? Ah, so your advice is to change EVERY password she has? That is not really practical.

In fact, it seems from your answer that the risk of anyone finding the passwords from the stolen database is very low (if not virtually nil).

What you have done by avoiding "confusion" and not explaining the encryption... is removed the context of the stolen passwords making it hard for anyone to make a value judgement. Everyone will probably react to your notice and presume their password is out there for the world to see. Really, that is quite unlikely given your answer.

You are giving partial advice. Nit.

Ling

Hi there

We have been working with the Computer Crime Unit of the Gardaí continuously since the incident and it is primarily on their advice that we are suggesting members change their passwords.

Plus it's very good practise to have different passwords for different accounts.

Thanks

Darragh

Conor

hobbit stomper wrote: »

Cool at least something. Even if the salt is in the same table, it's still as good as impossible to read the password via rainbow tables.

MD5 alone is almost useless nowadays thanks to all the rainbow tables. I actually had a 12 digit alpha-numerical password and I was shocked to find the hash on one of the rainbow table websites.

Well, unless your password is 123456 it's almost impossible for the hacker to actually get to your password. So it's not that big of a deal.

Next step: SHA1($salt . SHA1($password)); + separate table for salt.

Password cracking is fast enough these days that moving to SHA-1 will not give us enough of a boost to make it worth our while moving. I would consider moving to a bcrypt-based hashing scheme if I could turn up the work factor without having negative knock-on effects in the amount of CPU required.

Moving the salt to a different table won't really win us much, since anyone with access to the table that the password is in will have access to the one with the salt in it.

I would not rely on the salting to protect the password. It makes it harder to crack, not impossible. If your password is very, very strong it might not be worth cracking but most people have weak passwords which will be trivially crackable.

Conor

LINGsCARS wrote: »

yet you don't think to explain the risk of the passwords here being decoded (very tiny I think).

The risk of passwords being decoded is not tiny. The only safe course of action is to presume that they have been.

Tallon

Conor wrote: »

The salt is in the same table as the hash though.

Making 'special' brownies, are we?

Conor

Tallon wrote: »

Making 'special' brownies, are we?

If I was thinking about a hash, I'd be much better off with hash rather than hash.

hobbit stomper

No doubt about, I would always suggest to change the password after incident like this. But the original message sounds like the hacker has the password, just like that. Giving the impression that the passwords were stored in plain text, which just leads to a poor reputation for boards.ie security.

Should the hacker actually focus on getting a password of one user, it still takes him days/weeks/months to crack it... depending on the salt and the password, and that would just be one user.

Conor

hobbit stomper wrote: »

No doubt about, I would always suggest to change the password after incident like this. But the original message sounds like the hacker has the password, just like that. Giving the impression that the passwords were stored in plain text, which just leads to a poor reputation for boards.ie security.

Should the hacker actually focus on getting a password of one user, it still takes him days/weeks/months to crack it... depending on the salt and the password, and that would just be one user.

The time to crack is much less than "days/weeks/months" per password. MD5 is fast.

aidan_walsh

And thats before we consider that many users will be using easy to guess passwords.

hobbit stomper

Conor wrote: »

The time to crack is much less than "days/weeks/months" per password. MD5 is fast.

Well it's the salt that makes a difference.

About a year ago I tried cracking this MD5 salted hash:

MD5 Hash: 67440a4fc2736f883108ae1c69dab0606222e0cb

Password: admin
Salt: F{gR[;1txF,Q;,2qyy£0.yHP(PVT@zeg$%IR?ZKc

As you can see it's a VERY easy Password, but very complex salt. After scanning it through the biggest rainbow tables out there with zero luck and running an MD5 hash program for almost 3 weeks on my Intel Core 2 Duo 2.8GHz and creating a database almost 4GB big, it still couldn't find it.

Maybe now using Graphics card processors and Public Rainbow tables with the size of 130GB it's possible to crack it in a short time.

mike65

Don't use Penis as its not long enough....

seamus

hobbit stomper wrote: »

Maybe now using Graphics card processors and Public Rainbow tables with the size of 130GB it's possible to crack it in a short time.

And botnets. Anyone with a few hundred machines at their disposal can sift through a ****load of data in very short order.

Conor

hobbit stomper wrote: »

Well it's the salt that makes a difference.

Yep, and the default size of the vBulletin salt for many years was 3 characters.

Still, if you have the salt, you don't need to guess it. That makes things a lot easier.

Darragh

hobbit stomper wrote: »

No doubt about, I would always suggest to change the password after incident like this. But the original message sounds like the hacker has the password, just like that. Giving the impression that the passwords were stored in plain text, which just leads to a poor reputation for boards.ie security.

Should the hacker actually focus on getting a password of one user, it still takes him days/weeks/months to crack it... depending on the salt and the password, and that would just be one user.

Can I just repeat, we were advised by the Computer Crime Unit to advise members to change their passwords?

Thanks

Darragh

Jonathan

Conor wrote: »

Yep, and the default size of the vBulletin salt for many years was 3 characters.

Still, if you have the salt, you don't need to guess it. That makes things a lot easier.

1) What size salt was used in the stolen data? Was it increased before or after the attack?

2) What passwords and IP address stolen? Only the most recent or were previously used ones stored too?

Conor

Jonathan wrote: »

1) What size salt was used in the stolen data?

3 characters, randomly chosen from a 93 character alphabet. Different for each user.

Jonathan wrote: »

Was it increased before or after the attack?

It was increased in Jelsoft's update of vBulletin to 3.8.5 which arrived after the attack. Increasing the size of the salt is a fig leaf though, anyone with access to the hash has access to the salt (and there isn't a whole lot we can do about that). All it does is double the number of MD5 calls when cracking the password.

Jonathan wrote: »

2) What passwords and IP address stolen? Only the most recent or were previously used ones stored too?

The most recent password, hashed. [md5(md5($password) . $salt)]

The IP used at registration.

johnscarff

Ok so how do I delete my account without having to wait for it to become defunct over time.

Seeing as I have clearly never used boards.ie and have only jumped on here today because of the security issue email.

Darragh

johnscarff wrote: »

Ok so how do I delete my account without having to wait for it to become defunct over time.

Seeing as I have clearly never used boards.ie and have only jumped on here today because of the security issue email.

Hi John

To have your account closed please email hello@boards.ie with your username from the email address you registered with with your request and allow two working days for this to happen.

Closing your account means we will scramble your password, remove any email subscriptions or notifications you may receive and turn off your Private Messages.

You will receive one final confirmation email from us. You can then simply stop logging into your account or posting.

Your email address plus any profile data that you have left on the system (links to your Facebook profile or twitter account for example) will be kept for a set period of time in accordance with the Data Protection Act - and then removed.

I hope this helps

Darragh

ray@obakk.com

To throw another question into the mix, does this include past members accounts disabled for various reason by sys admins?

As in, are they still part of the user list that was "possibly" captured but no longer receive updates from boards.ie as the account itself is disabled?

Conor

ray@obakk.com wrote: »

To throw another question into the mix, does this include past members accounts disabled for various reason by sys admins?

As in, are they still part of the user list that was "possibly" captured but no longer receive updates from boards.ie as the account itself is disabled?

Yes, and they will be getting the PM anyway.

SPDUB

Darragh wrote: »

Can I just repeat, we were advised by the Computer Crime Unit to advise members to change their passwords?

Except by automatically triggering a password change on day 1 of the incident you made that advice worthless for people who can't remember what their password was

I'm 99% certain I didn't use my password on another website but I can't be certain because of the automatic change

Conor

SPDUB wrote: »

Except by automatically triggering a password change on day 1 of the incident you made that advice worthless for people who can't remember what their password was

I'm 99% certain I didn't use my password on another website but I can't be certain because of the automatic change

Even if we didn't change your password we still couldn't help you with that, I'm afraid.