IMPORTANT: Reset passwords

Announcements about releases of Oolite and related material.

Moderators: winston, another_commander

Post Reply
User avatar
JensAyton
Grand Admiral Emeritus
Grand Admiral Emeritus
Posts: 6657
Joined: Sat Apr 02, 2005 2:43 pm
Location: Sweden
Contact:

IMPORTANT: Reset passwords

Post by JensAyton »

As you may know, the Oolite Bulletin Board was hacked on New Year's Eve. We are now seeing indications that passwords may have been compromised We strongly recommend that you change your password on the Oolite Bulletin Board. If you use the same password for anything else, especially the e-mail account associated with your BB profile, change the password for that, too.

As a general note, it’s a good idea to use separate passwords for valuable things like your main e-mail account rather than using one password for everything.

To change your password on the Oolite Bulletin Board, log in and go to the Edit Account Settings page. (Alternatively, select User Control Panel fro the top right of the page. Under Options on the left hand side, select Profile and then Edit account settings.)

Enter a new password twice where prompted, and your old password below that, then click Submit. The next time you log in, you will need to use your new password.
David McMahon
Above Average
Above Average
Posts: 16
Joined: Thu Oct 15, 2009 3:07 am

Re: IMPORTANT: Reset passwords

Post by David McMahon »

Sorry to be negative, but how do I remove my account? I can't have a risk like this :(
User avatar
JensAyton
Grand Admiral Emeritus
Grand Admiral Emeritus
Posts: 6657
Joined: Sat Apr 02, 2005 2:43 pm
Location: Sweden
Contact:

Re: IMPORTANT: Reset passwords

Post by JensAyton »

There doesn’t appear to be a way to remove your own account. We could do it for you if you really want, but that would leave your posts orphaned; a possibly better solution would be to set your password to something random.

Of course, if you then remember the random password, you’ll be able to use the BB without any risk whatsoever to other accounts. :-)
User avatar
Commander McLane
---- E L I T E ----
---- E L I T E ----
Posts: 9520
Joined: Thu Dec 14, 2006 9:08 am
Location: a Hacker Outpost in a moderately remote area
Contact:

Re: IMPORTANT: Reset passwords

Post by Commander McLane »

Thanks for the warning!

I am changing right now (especially on a completely unrelated, but very sensitive site where I used the same password as well).
David McMahon
Above Average
Above Average
Posts: 16
Joined: Thu Oct 15, 2009 3:07 am

Re: IMPORTANT: Reset passwords

Post by David McMahon »

Do we know the extent of the hack? Were E-Mail addresses obtained?
User avatar
Smivs
Retired Assassin
Retired Assassin
Posts: 8408
Joined: Tue Feb 09, 2010 11:31 am
Location: Lost in space
Contact:

Re: IMPORTANT: Reset passwords

Post by Smivs »

OK so I've changed my password. So how great is the danger. Like most people I don't use my 'real' name here so if some git has got my (old) password they can surely only relate it to my Oolite persona. My email accounts all have unique passwords so should be safe.
However as Smivs i do have a wide web presence, and presumably some of these accounts (eg Smivs' Slashdot account) might be at risk. Is that right?
None of my sensitive personal accounts (eg Bank) are in the name of Smivs and none use the compromised password, so I'm assuming I am quite safe from this angle.
Sorry if this sounds naive, but I've not really been in this situation before.
Commander Smivs, the friendliest Gourd this side of Riedquat.
User avatar
aegidian
Master and Commander
Master and Commander
Posts: 1161
Joined: Thu May 20, 2004 10:46 pm
Location: London UK
Contact:

Re: IMPORTANT: Reset passwords

Post by aegidian »

We don't know if the database was accessed.

We think it may have been accessed because at least one user here has reported that since the attack on the site their webmail has been hacked and that they used the same password to access their webmail as they do to access this site. At the moment I am aware of this only happening to one user.

If the database was accessed, then your usernames, email addresses and an MD5 hash (a fairly complex encryption) of your passwords could have been revealed.

If you don't use the same password at another site, your access there will remain as secure as it ever was. If you use the same password and email address at a different site you are advised to change it. Once you have changed your password there then your access there will be as secure as that site chooses to make it.


FWIW the software this board runs on (phpBB3) is regarded as being very secure, and the MD5 hashes of passwords stored here are regarded as being difficult to crack. That said, you are more at risk if you use a simple password, and particularly a short one. And because other boards and sites may not be as secure, again, please don't reuse your other passwords.
"The planet Rear is scourged by well-intentioned OXZs."

Oolite models and gear? click here!
User avatar
JensAyton
Grand Admiral Emeritus
Grand Admiral Emeritus
Posts: 6657
Joined: Sat Apr 02, 2005 2:43 pm
Location: Sweden
Contact:

Re: IMPORTANT: Reset passwords

Post by JensAyton »

If you habitually use the same password on different sites, and especially if you use the same password for your e-mail as everything else (since web site accounts tend to have e-mail addresses associated with them), the odds that your password will eventually be compromised are very high.

If they did access the database, they got salted hashes of passwords for 2000ish users. It isn’t possible to convert those hashes back to passwords, but what you can do is hash a lot of test passwords in the same way and see if any of the hashes you saw turn up. Normally this is done starting with a list of common passwords. If your password is “swordfish”, it will be found very quickly. If it’s 50 random letters, it is extremely unlikely that it would ever be found.

Doing this for a mere 2000 accounts doesn’t seem particularly worthwhile, but that doesn’t mean no-one would do it.
User avatar
winston
Pirate
Pirate
Posts: 731
Joined: Mon Sep 27, 2004 10:21 pm
Location: Port St. Mary, Isle of Man
Contact:

Re: IMPORTANT: Reset passwords

Post by winston »

aegidian wrote:
If the database was accessed, then your usernames, email addresses and an MD5 hash (a fairly complex encryption) of your passwords could have been revealed.
The biggest risk is if you have a password that's in the dictionary. You can crack MD5 passwords by running a simple dictionary attack, compare the MD5 sum of each dictionary word you try with the MD5 sum in the database you saved off.

If your password looks like "alksfIOH(T98&\0fdhf¨*-" it probably won't get compromised. (However, MD5 passwords can be brute forced, but it's probably not worth the cracker's effort when I bet at least 75% of the passwords are crackable by a dictionary attack, and probably a reasonable proportion are things like "password" or "passw0rd" or something similar.
Post Reply