IMPORTANT: Reset passwords

JensAyton · Post by **JensAyton** » Sat Jan 08, 2011 12:29 pm

As you may know, the Oolite Bulletin Board was hacked on New Year's Eve. We are now seeing indications that passwords may have been compromised We strongly recommend that you change your password on the Oolite Bulletin Board. If you use the same password for anything else, especially the e-mail account associated with your BB profile, change the password for that, too.

As a general note, it’s a good idea to use separate passwords for valuable things like your main e-mail account rather than using one password for everything.

To change your password on the Oolite Bulletin Board, log in and go to the Edit Account Settings page. (Alternatively, select User Control Panel fro the top right of the page. Under Options on the left hand side, select Profile and then Edit account settings.)

Enter a new password twice where prompted, and your old password below that, then click Submit. The next time you log in, you will need to use your new password.

David McMahon · Post by **David McMahon** » Sat Jan 08, 2011 12:37 pm

Sorry to be negative, but how do I remove my account? I can't have a risk like this

JensAyton · Post by **JensAyton** » Sat Jan 08, 2011 12:43 pm

There doesn’t appear to be a way to remove your own account. We could do it for you if you really want, but that would leave your posts orphaned; a possibly better solution would be to set your password to something random.

Of course, if you then remember the random password, you’ll be able to use the BB without any risk whatsoever to other accounts. :-)

Commander McLane · Post by **Commander McLane** » Sat Jan 08, 2011 3:25 pm

Thanks for the warning!

I am changing right now (especially on a completely unrelated, but very sensitive site where I used the same password as well).

David McMahon · Post by **David McMahon** » Sat Jan 08, 2011 3:35 pm

Do we know the extent of the hack? Were E-Mail addresses obtained?

Commander Smivs · Post by **Smivs** » Sat Jan 08, 2011 3:52 pm

OK so I've changed my password. So how great is the danger. Like most people I don't use my 'real' name here so if some git has got my (old) password they can surely only relate it to my Oolite persona. My email accounts all have unique passwords so should be safe.
However as Smivs i do have a wide web presence, and presumably some of these accounts (eg Smivs' Slashdot account) might be at risk. Is that right?
None of my sensitive personal accounts (eg Bank) are in the name of Smivs and none use the compromised password, so I'm assuming I am quite safe from this angle.
Sorry if this sounds naive, but I've not really been in this situation before.

aegidian · Post by **aegidian** » Sat Jan 08, 2011 4:45 pm

We don't know if the database was accessed.

We think it may have been accessed because at least one user here has reported that since the attack on the site their webmail has been hacked and that they used the same password to access their webmail as they do to access this site. At the moment I am aware of this only happening to one user.

If the database was accessed, then your usernames, email addresses and an MD5 hash (a fairly complex encryption) of your passwords could have been revealed.

If you don't use the same password at another site, your access there will remain as secure as it ever was. If you use the same password and email address at a different site you are advised to change it. Once you have changed your password there then your access there will be as secure as that site chooses to make it.

FWIW the software this board runs on (phpBB3) is regarded as being very secure, and the MD5 hashes of passwords stored here are regarded as being difficult to crack. That said, you are more at risk if you use a simple password, and particularly a short one. And because other boards and sites may not be as secure, again, please don't reuse your other passwords.

JensAyton · Post by **JensAyton** » Sat Jan 08, 2011 5:15 pm

If you habitually use the same password on different sites, and especially if you use the same password for your e-mail as everything else (since web site accounts tend to have e-mail addresses associated with them), the odds that your password will eventually be compromised are very high.

If they did access the database, they got salted hashes of passwords for 2000ish users. It isn’t possible to convert those hashes back to passwords, but what you can do is hash a lot of test passwords in the same way and see if any of the hashes you saw turn up. Normally this is done starting with a list of common passwords. If your password is “swordfish”, it will be found very quickly. If it’s 50 random letters, it is extremely unlikely that it would ever be found.

Doing this for a mere 2000 accounts doesn’t seem particularly worthwhile, but that doesn’t mean no-one would do it.

Post by **winston** » Sat Jan 08, 2011 7:17 pm

aegidian wrote:
If the database was accessed, then your usernames, email addresses and an MD5 hash (a fairly complex encryption) of your passwords could have been revealed.

The biggest risk is if you have a password that's in the dictionary. You can crack MD5 passwords by running a simple dictionary attack, compare the MD5 sum of each dictionary word you try with the MD5 sum in the database you saved off.

If your password looks like "alksfIOH(T98&\0fdhf¨*-" it probably won't get compromised. (However, MD5 passwords can be brute forced, but it's probably not worth the cracker's effort when I bet at least 75% of the passwords are crackable by a dictionary attack, and probably a reasonable proportion are things like "password" or "passw0rd" or something similar.

Oolite Bulletins

IMPORTANT: Reset passwords

IMPORTANT: Reset passwords

Re: IMPORTANT: Reset passwords

Re: IMPORTANT: Reset passwords

Re: IMPORTANT: Reset passwords

Re: IMPORTANT: Reset passwords

Re: IMPORTANT: Reset passwords

Re: IMPORTANT: Reset passwords

Re: IMPORTANT: Reset passwords

Re: IMPORTANT: Reset passwords