SQL injection vulnerability

Joined
Sep 12, 2010
Messages
11,703
Location
The Netherlands
Pronouns
  1. He - Him
Discord
Lightheart#7487
Mine was only 86 days old. It was way too young to die. I lose. :(
 

Aduiavas Ida

Aes Sedai
Head of the White Ajah
Joined
Jun 10, 2008
Messages
20,134
Age
34
Location
Drøbak, Norway
Pronouns
  1. She - Her
Mine was 1480-something too :look:
 

Kerwin Thaumiel

Maybe a TARDIS
Gaidin
Mason
Joined
Jun 21, 2006
Messages
4,735
Age
40
Location
Sweden
Pronouns
  1. He - Him
Discord
Thaumiel#3071
google and text file :look:
 

Jalen te'Kreg

Gaidin
Joined
Aug 21, 2004
Messages
951
Pronouns
  1. He - Him
To echo Caerwyn: Password Managers are *crucial* these days. Please look into them, choose one and use it religiously. Please don't reuse passwords. Also, please don't store passwords in your browser (as in, don't allow Chrome to remember the password when you put it in) - browser password storage is notoriously insecure.

IT Team: Sorry you're all having to deal with this. Could you please expand on what method was used to hash passwords? Thanks.
 

Kerwin Thaumiel

Maybe a TARDIS
Gaidin
Mason
Joined
Jun 21, 2006
Messages
4,735
Age
40
Location
Sweden
Pronouns
  1. He - Him
Discord
Thaumiel#3071
Jalen, yeah but I'm lazy. and I cant use password managers on all devices but my google account is a different thing :) but it's about knowing the risks. Don't follow my example.
 

Defen Estrator

Mastering the Watch
Gaidin
The Illuminator
Joined
Jan 23, 2005
Messages
145
Location
rand(), USA
Pronouns
  1. He - Him
Jalen: The vBulletin 4 hash algorithm is md5(md5(password) + salt). Some amount of effort required, especially for strong passwords, but definitely pretty weak by modern standards.
 

Jeem Al'Cazar

Soldier
Joined
Aug 31, 2012
Messages
848
Location
Fairfield, CA
Crazy, who would have thought this site would be a target? Anywho, because everything else of mine pretty much requires rolling passwords, none of them are in sync anymore... lol.

It wasn't just TV, Funcom's forums (also vBulletin) had everyone change their password to each of their games forums. I would guess that something in vBulletin itself was the target, not a specific tower, so vBulletin sent info to everyone currently using vBulletin software.
 

Elania al'Manir

Aes Sedai
Joined
Jan 19, 2005
Messages
10,238
Location
Missouri
Pronouns
  1. She - Her
It sucks that this happened, but at least it's a good reminder and an educational opportunity. :cheeseeni: I read through the link that Caerwyn Gaidin posted and am now downloading LastPass. :D
 

Naomi al'Moranwin

Aes Sedai
Joined
Jun 15, 2001
Messages
1,577
Location
Maynard, MA
I am a LastPass fan! There's a small fee if you want to use it on mobile devices, which I gladly pay. My password here also predated my conversion, but now it's updated. And it reminded me to do a security challenge and reset some other places too. :)
 
Joined
Sep 10, 2007
Messages
2,354
Age
42
Location
UK
Pronouns
  1. He - Him
Discord
Nick.#7789
I've also (for a few weeks now) been transitioning over to LastPass. The free version is great for easy use on your phone and the premium is only $12 which is nothing for a year.

You can pick one 'type' of device for your free version PC, tablet, phone and any other devices of the same type are free to sync but you have to pay if you then want it on a different type of device.
 

Elanda Tonil

Aes Sedai
Mediator
Joined
Aug 7, 2002
Messages
15,068
Location
New England, USA
:grumble Fine, I'll improve my security. :grumble

I've been planning on moving to a password manager of some sort for a while, I guess it's time to actually do it.
 

Caerwyn Jolan

Gaidin
Joined
Sep 24, 2007
Messages
428
Age
63
Location
Volcano, California USA
:grumble Fine, I'll improve my security. :grumble

I've been planning on moving to a password manager of some sort for a while, I guess it's time to actually do it.

The main reason to move to a password manager (any one you're comfortable with, although I use LastPass), is that it eliminates the "use the same password on lots of websites" problem. (by letting you make strong passwords and easily use a *different* one on every site).

This is about the 5th or 6th site that i've been a member of that has had either actual passwords or salted password hashes stolen from it. (for lots of reasons, stealing hashes is almost as bad as stealing actual passwords, people's password choices are *VERY* predictable).

Its going to happen again. Worse things are going to happen. The level of attacks out there in the wild is just stunning, with all levels of actors from teen-hacker all the way to large-agency-of-government level actors. Its only a matter of time before almost any password you set is compromised - one of the best things to do is contain the blast radius by not reusing them between sites. (changing them periodically, interestingly, is less effective. There's some evidence that making people change their password every now and then doesnt improve password quality and may decrease it).

So all you people who have 1000 day old passwords arent really making your security worse because they're old. :-)mother)

But you're probably choosing terrible passwords that can be recovered with a script anyway.

So don't do that. :nono

PS: Its not only passwords online that have this problem. I once got into a very expensive property (legitimately, i was returning something i'd borrowed but didnt have the owner's phone # and you couldn't see the house from the gate), by typing "1234" into the electric gate keypad. Voila, open sesame...
 
Last edited:

Jalen te'Kreg

Gaidin
Joined
Aug 21, 2004
Messages
951
Pronouns
  1. He - Him
The main reason to move to a password manager (any one you're comfortable with, although I use LastPass), is that it eliminates the "use the same password on lots of websites" problem. (by letting you make strong passwords and easily use a *different* one on every site).

This is about the 5th or 6th site that i've been a member of that has had either actual passwords or salted password hashes stolen from it. (for lots of reasons, stealing hashes is almost as bad as stealing actual passwords, people's password choices are *VERY* predictable).

Its going to happen again. Worse things are going to happen. The level of attacks out there in the wild is just stunning, with all levels of actors from teen-hacker all the way to large-agency-of-government level actors. Its only a matter of time before almost any password you set is compromised - one of the best things to do is contain the blast radius by not reusing them between sites. (changing them periodically, interestingly, is less effective. There's some evidence that making people change their password every now and then doesnt improve password quality and may decrease it).

So all you people who have 1000 day old passwords arent really making your security worse because they're old. :-)mother)

But you're probably choosing terrible passwords that can be recovered with a script anyway.

So don't do that. :nono

PS: Its not only passwords online that have this problem. I once got into a very expensive property (legitimately, i was returning something i'd borrowed but didnt have the owner's phone # and you couldn't see the house from the gate), by typing "1234" into the electric gate keypad. Voila, open sesame...


I should tell you about the security headaches I dealt with in 2014 working on a query/data/records/physical security systems merger between two police departments over a beer some time, away from prying eyes, Caer. You'll get a chuckle.
 
Top