SQL injection vulnerability

Discussion in 'Site Announcements' started by Mendo Cath, Aug 24, 2016.

  1. Stephen Lightheart

    Stephen Lightheart Aes Sedai

    Joined:
    Sep 12, 2010
    Messages:
    10,402
    Location:
    The Netherlands
    Mine was only 86 days old. It was way too young to die. I lose. :(
     
  2. Aduiavas Ida

    Aduiavas Ida Aes Sedai Mistress of Revels - Europe Forum Moderator

    Joined:
    Jun 10, 2008
    Messages:
    15,349
    Location:
    Drøbak, Norway
    Mine was 1480-something too :look
     
  3. Mendo Cath

    Mendo Cath Voidbringer Aes Sedai

    Joined:
    Apr 2, 2013
    Messages:
    4,434
    Location:
    Richmond, TX
    Personally, I like KeePass (http://keepass.info/download.html) a lot cause it works on almost everything and is open source (meaning it wont cost you anything to use)
     
  4. Kerwin Thaumiel

    Kerwin Thaumiel Maybe a TARDIS Gaidin

    Joined:
    Jun 21, 2006
    Messages:
    4,577
    Location:
    Sweden
    google and text file :look
     
  5. Arafel al Dama

    Arafel al Dama Aes Sedai

    Joined:
    Apr 5, 2006
    Messages:
    1,817
    Location:
    Washington state
    Thank you!
     
  6. Jalen te'Kreg

    Jalen te'Kreg Gaidin

    Joined:
    Aug 21, 2004
    Messages:
    917
    To echo Caerwyn: Password Managers are *crucial* these days. Please look into them, choose one and use it religiously. Please don't reuse passwords. Also, please don't store passwords in your browser (as in, don't allow Chrome to remember the password when you put it in) - browser password storage is notoriously insecure.

    IT Team: Sorry you're all having to deal with this. Could you please expand on what method was used to hash passwords? Thanks.
     
  7. Zelinea Aldevron

    Zelinea Aldevron

    Joined:
    Jul 25, 2016
    Messages:
    674
    Thanks for taking care of things so quickly!
     
  8. Kerwin Thaumiel

    Kerwin Thaumiel Maybe a TARDIS Gaidin

    Joined:
    Jun 21, 2006
    Messages:
    4,577
    Location:
    Sweden
    Jalen, yeah but I'm lazy. and I cant use password managers on all devices but my google account is a different thing :) but it's about knowing the risks. Don't follow my example.
     
  9. Defen Estrator

    Defen Estrator Mastering the Watch Gaidin Master of the Watch

    Joined:
    Jan 23, 2005
    Messages:
    136
    Location:
    rand(), USA
    Jalen: The vBulletin 4 hash algorithm is md5(md5(password) + salt). Some amount of effort required, especially for strong passwords, but definitely pretty weak by modern standards.
     
  10. Jalen te'Kreg

    Jalen te'Kreg Gaidin

    Joined:
    Aug 21, 2004
    Messages:
    917
    Thanks Defen!
     
  11. Zandera Sommers

    Zandera Sommers

    Joined:
    Apr 7, 2012
    Messages:
    6,866
    Location:
    Massachusetts
    Thank you for the info. :)
     
  12. Jeem Al'Cazar

    Jeem Al'Cazar Soldier

    Joined:
    Aug 31, 2012
    Messages:
    848
    Location:
    Fairfield, CA
    It wasn't just TV, Funcom's forums (also vBulletin) had everyone change their password to each of their games forums. I would guess that something in vBulletin itself was the target, not a specific tower, so vBulletin sent info to everyone currently using vBulletin software.
     
  13. Elania al'Manir

    Elania al'Manir Aes Sedai Forum Moderator

    Joined:
    Aug 26, 2012
    Messages:
    8,253
    Location:
    Missouri
    It sucks that this happened, but at least it's a good reminder and an educational opportunity. :cheese I read through the link that Caerwyn Gaidin posted and am now downloading LastPass. :D
     
  14. Naomi al'Moranwin

    Naomi al'Moranwin Aes Sedai

    Joined:
    Jun 15, 2001
    Messages:
    1,582
    Location:
    Maynard, MA
    I am a LastPass fan! There's a small fee if you want to use it on mobile devices, which I gladly pay. My password here also predated my conversion, but now it's updated. And it reminded me to do a security challenge and reset some other places too. :)
     
  15. Kallarn Lo'Vosh

    Kallarn Lo'Vosh

    Joined:
    Sep 10, 2007
    Messages:
    1,096
    Location:
    Kent UK
    I've also (for a few weeks now) been transitioning over to LastPass. The free version is great for easy use on your phone and the premium is only $12 which is nothing for a year.

    You can pick one 'type' of device for your free version PC, tablet, phone and any other devices of the same type are free to sync but you have to pay if you then want it on a different type of device.
     
  16. Falone Charpontier

    Falone Charpontier

    Joined:
    Apr 23, 2003
    Messages:
    908
    Location:
    Washington State
    Thank you for taking care of us so swiftly.
     
  17. Elanda Tonil

    Elanda Tonil Aes Sedai Survey Project Manager Forum Moderator

    Joined:
    Aug 7, 2002
    Messages:
    12,140
    Location:
    New England, USA
    :grumble Fine, I'll improve my security. :grumble

    I've been planning on moving to a password manager of some sort for a while, I guess it's time to actually do it.
     
  18. Caerwyn Jolan

    Caerwyn Jolan Gaidin

    Joined:
    Sep 24, 2007
    Messages:
    390
    Location:
    Volcano, California USA
    The main reason to move to a password manager (any one you're comfortable with, although I use LastPass), is that it eliminates the "use the same password on lots of websites" problem. (by letting you make strong passwords and easily use a *different* one on every site).

    This is about the 5th or 6th site that i've been a member of that has had either actual passwords or salted password hashes stolen from it. (for lots of reasons, stealing hashes is almost as bad as stealing actual passwords, people's password choices are *VERY* predictable).

    Its going to happen again. Worse things are going to happen. The level of attacks out there in the wild is just stunning, with all levels of actors from teen-hacker all the way to large-agency-of-government level actors. Its only a matter of time before almost any password you set is compromised - one of the best things to do is contain the blast radius by not reusing them between sites. (changing them periodically, interestingly, is less effective. There's some evidence that making people change their password every now and then doesnt improve password quality and may decrease it).

    So all you people who have 1000 day old passwords arent really making your security worse because they're old. :-)mother)

    But you're probably choosing terrible passwords that can be recovered with a script anyway.

    So don't do that. :nono

    PS: Its not only passwords online that have this problem. I once got into a very expensive property (legitimately, i was returning something i'd borrowed but didnt have the owner's phone # and you couldn't see the house from the gate), by typing "1234" into the electric gate keypad. Voila, open sesame...
     
    Last edited: Aug 26, 2016
  19. Atreyu Silverstar

    Atreyu Silverstar Gaidin Forum Moderator

    Joined:
    Mar 29, 2006
    Messages:
    2,805
    Location:
    Long beach, California
    Thank you for you hard work :)
     
  20. Jalen te'Kreg

    Jalen te'Kreg Gaidin

    Joined:
    Aug 21, 2004
    Messages:
    917

    I should tell you about the security headaches I dealt with in 2014 working on a query/data/records/physical security systems merger between two police departments over a beer some time, away from prying eyes, Caer. You'll get a chuckle.