Ars was briefly hacked yesterday; here’s what we know

Readers, please change your passwords.

Read the whole story

 

[dillweed81]

darkshade[/url]":fi7feb79]

dillweed81[/url]":fi7feb79](Please read my post before blindly downvoting me for taking issue with epixoip's remarks. epixoip is a professional password cracker, not a professional penetration tester. He cares about cracking massive data sets, which does not always align with black hat goals.)

<snip>

You're talking about an edge case of an edge case for a website like Ars Technica. The vast majority (if not literally all) don't need to be concerned with a specific targeted attack against them. Ars' system is adequate for untargeted attacks, and that's what most users should be worried about.

That's fair. I think it's good to let people understand the potential risks though.

Also, there is potential for semi-targeted attacks. For example, someone decides they want to take control of some forums, scrapes forum admin usernames from around the web, does a search for them in numerous databases from breaches, finds a few people using the same username on Ars...

99.8% of users here probably don't need to worry about these sorts of things, but the point stands that the only thing standing between you and someone interested in cracking your password hash is MD5 2048x. To me that is not reassuring.

 

[pqr]

epixoip[/url]":3le2daa7]

drukov[/url]":3le2daa7]

epixoip[/url]":3le2daa7]

If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

That's completely wrong. Salts do not slow down bruteforce cracking beyond obscuring users who use the same password. The effective speed is still 3 MH/s.

Sorry, but you're completely wrong. I've explained why this is the case several times. I'm sorry if you are not able to understand why this is true.

drukov, read my posts after his 2.86 H/s post and then you will get it. Purely matter of definitions, there is nothing wrong with your own 3MH/s calculation and gut feeling. His effective rate "just does not mean what you think it means". He uses rate per account namely how many password candidates you can check per second against entire userbase of hashes. Took a few exchanges to settle the difference.

 

[dillweed81]

rdx[/url]":2idz3qa6]

dillweed81[/url]":2idz3qa6](Please read my post before blindly downvoting me for taking issue with epixoip's remarks. epixoip is a professional password cracker, not a professional penetration tester. He cares about cracking massive data sets, which does not always align with black hat goals.)

In my opinion he is being misleading, even though he's correct.

I work in infosec and have participated in some red team exercises. My personal fear in these scenarios is not the entire database being cracked, it's a targeted attacker who singles me out and dedicates boxes to doing nothing but trying to crack just my account's password hash. This is an extremely common tactic used by black hats and by white hat pentesters.

Scrypt or bcrypt would mitigate this much more than iterated MD5, unless the iterations are closer to what the industry recommends. OWASP's recommendations for PBKDF2 are 128,000 iterations in 2014, and that's also recommending SHA1 or SHA-256, not MD5. If you compare SHA1's speed with MD5, I would guess that 150k or 200k would be the recommendation for MD5 (it is easy to calculate the exact number if someone wants to). 150,000 is a lot higher than 2,048.

Sure, the vast majority of users here probably will never be targeted in such a way, but undoubtedly at least a few will be. PHPass is certainly much better than just salted single-round MD5, but it's not good either.

The only numbers epixoip gave were how hard it would be to crack the entire data set containing every Ars account. Ars has a ton of users and each hash is salted, so obviously this would take a long time, and would take a far longer time than it would take if the algorithm was merely a single md5($salt . $password). But it is still not very secure for the reasons I listed above. Most people are (probably) going to be safe sheerly because they're a needle in a large haystack, not because the hash is strong.

Marshalrusty[/url]":2idz3qa6]epixoip did an absolutely excellent job explaining how PHPass works and why it is nothing like a plain md5 hash.

It is a bit shocking how many commenters went from "I have seen md5 mentioned in prior articles a few times" to "I am an expert on cryptography and clearly Ars, phpBB, etc. don't know what they're doing and don't take security seriously." As a matter of fact, we take matters of security extremely seriously. PHPass was chosen because it is a strong choice that works on a wide range of setups. It is certainly going to get the job done here. On our newest version, phpBB 3.1, there is support for bcrypt for an even stronger hash.

Yuriy Rusko
Project Manager, phpBB

Sorry, but just because the function has a fancy name does not mean it is magically good.

The source code is right here:

https://github.com/phpbb/phpbb/blob/pre ... s.php#L585

With 2,048 iterations, it is roughly 4,000x slower than a single round of MD5. This is much better than MD5 but is still much faster than what industry standards recommend. The rounds would have to be set to 130-200k to get closer to industry standards.

Obviously it could be configured to use that many rounds, but Ars did not configure it that way (possibly due to performance concerns).

Unless your threat model for Ars is someone exfiltrating the passwords DB and working on some extremely worthy target hash for month(s) unnoticed, this doesn't make much sense.

12 character lower-case random password would already take 50 years on a rig like this, and simply throwing in digits would raise that to 2000 years. I'd think most passwords would expire by then. A state-level resourceful actor with a thousand of those rigs *could* extract all lowercase 12 character pass in possibly meaningful period - and would be defeated by switching to full ASCII random.

This only gives a little grace period for extremely weak passwords on the order of 8 [0-9a-z] random characters. Dictionary crackable passwords wouldn't profit from this at all, as moving from seconds/hours to minutes/day won't help in this case.

The database has already (likely) been exilftrated. That's the entire point of this thread...

You're absolutely right that a *strong* 12 character password, such as a random all-lowercase password, would be very hard to crack. But that'd still take a (relatively speaking) long time to crack even on 1 round of MD5.

Password cracking is usually about cracking non-ideal passwords. Many users here probably do not have strong passwords. Most people use words and common number schemes in their passwords, and applications like HashCat are very good at cracking them (wordlist permutations, attempts at common patterns, and lots of other techniques). So a weak or "medium" 12 character password may certainly be in trouble.

 

[rdx]

logic_88[/url]":15l3x7de]

dillweed81[/url]":15l3x7de]
A 12-character password will still end up being pretty strong, unless it's just a dictionary word or multiple dictionary words or some easy permutation of either of those. You'll likely find that even on a tech site like Ars, though, a great deal many people will have passwords that are 8 or fewer characters long.

Does it matter if I use a strong password or not for Ars?

Aside from an email address, I don't have any personal information stored here.

People using same/similar passwords is what attacks on random sites usually hope for.

If someone uses "my p@55word!ars" and "my p@55word!gmail" - welp. Mail password is pretty much the single weakest link for most people's whole online presence.

 

[dillweed81]

logic_88[/url]":1zo5lns9]

dillweed81[/url]":1zo5lns9]
A 12-character password will still end up being pretty strong, unless it's just a dictionary word or multiple dictionary words or some easy permutation of either of those. You'll likely find that even on a tech site like Ars, though, a great deal many people will have passwords that are 8 or fewer characters long.

Does it matter if I use a strong password or not for Ars?

Aside from an email address, I don't have any personal information stored here.

The primary danger of any database breach is password reuse.

If you use a very unique password for each site (so no "password124" and "password125"; totally different schemes) then you generally don't have reason to be concerned with any website breach unless the site is also storing payment information or SSNs.

Most people on the Internet heavily reuse passwords. There are many cases of someone going through the effort of compromising and dumping the database of a site specifically so they can crack the hash of a single user and try that user's passwords on other accounts and services.

 

[achbed]

zer0x1A4[/url]":1ntsb6p2]

pqr[/url]":1ntsb6p2]

I heard it was combination of inside job and North Korean hackers...

Or a big publicity stunt?... we'll never know.

Nope - it was Sony looking for copies of their data. They've given up on seeding poisoned torrents, and moved on to threatening and hacking news organizations instead. Because that always ends well.

 

[rdx]

dillweed81[/url]":2csxz501]

rdx[/url]":2csxz501]

dillweed81[/url]":2csxz501](Please read my post before blindly downvoting me for taking issue with epixoip's remarks. epixoip is a professional password cracker, not a professional penetration tester. He cares about cracking massive data sets, which does not always align with black hat goals.)

In my opinion he is being misleading, even though he's correct.

I work in infosec and have participated in some red team exercises. My personal fear in these scenarios is not the entire database being cracked, it's a targeted attacker who singles me out and dedicates boxes to doing nothing but trying to crack just my account's password hash. This is an extremely common tactic used by black hats and by white hat pentesters.

Scrypt or bcrypt would mitigate this much more than iterated MD5, unless the iterations are closer to what the industry recommends. OWASP's recommendations for PBKDF2 are 128,000 iterations in 2014, and that's also recommending SHA1 or SHA-256, not MD5. If you compare SHA1's speed with MD5, I would guess that 150k or 200k would be the recommendation for MD5 (it is easy to calculate the exact number if someone wants to). 150,000 is a lot higher than 2,048.

Sure, the vast majority of users here probably will never be targeted in such a way, but undoubtedly at least a few will be. PHPass is certainly much better than just salted single-round MD5, but it's not good either.

The only numbers epixoip gave were how hard it would be to crack the entire data set containing every Ars account. Ars has a ton of users and each hash is salted, so obviously this would take a long time, and would take a far longer time than it would take if the algorithm was merely a single md5($salt . $password). But it is still not very secure for the reasons I listed above. Most people are (probably) going to be safe sheerly because they're a needle in a large haystack, not because the hash is strong.

Marshalrusty[/url]":2csxz501]epixoip did an absolutely excellent job explaining how PHPass works and why it is nothing like a plain md5 hash.

It is a bit shocking how many commenters went from "I have seen md5 mentioned in prior articles a few times" to "I am an expert on cryptography and clearly Ars, phpBB, etc. don't know what they're doing and don't take security seriously." As a matter of fact, we take matters of security extremely seriously. PHPass was chosen because it is a strong choice that works on a wide range of setups. It is certainly going to get the job done here. On our newest version, phpBB 3.1, there is support for bcrypt for an even stronger hash.

Yuriy Rusko
Project Manager, phpBB

Sorry, but just because the function has a fancy name does not mean it is magically good.

The source code is right here:

https://github.com/phpbb/phpbb/blob/pre ... s.php#L585

With 2,048 iterations, it is roughly 4,000x slower than a single round of MD5. This is much better than MD5 but is still much faster than what industry standards recommend. The rounds would have to be set to 130-200k to get closer to industry standards.

Obviously it could be configured to use that many rounds, but Ars did not configure it that way (possibly due to performance concerns).

Unless your threat model for Ars is someone exfiltrating the passwords DB and working on some extremely worthy target hash for month(s) unnoticed, this doesn't make much sense.

12 character lower-case random password would already take 50 years on a rig like this, and simply throwing in digits would raise that to 2000 years. I'd think most passwords would expire by then. A state-level resourceful actor with a thousand of those rigs *could* extract all lowercase 12 character pass in possibly meaningful period - and would be defeated by switching to full ASCII random.

This only gives a little grace period for extremely weak passwords on the order of 8 [0-9a-z] random characters. Dictionary crackable passwords wouldn't profit from this at all, as moving from seconds/hours to minutes/day won't help in this case.

The database has already (likely) been exilftrated. That's the entire point of this thread...

You're absolutely right that a *strong* 12 character password, such as a random all-lowercase password, would be very hard to crack. But that'd still take a (relatively speaking) long time to crack even on 1 round of MD5.

Password cracking is usually about cracking non-ideal passwords. Many users here probably do not have strong passwords. Most people use words and common number schemes in their passwords, and applications like HashCat are very good at cracking them (wordlist permutations, attempts at common patterns, and lots of other techniques). So a weak or "medium" 12 character password may certainly be in trouble.

You've already switched from a targeted hack to a shotgun one. If you're going after all accounts, that "effective 3 H/s per account" metric kicks in. It's still days to weeks to go through a RockYou-sized wordlist, even before switching to smarter methods. And even after wordlist pass sweeps away 90% of QWERTYs and 12345s, you're stilll looking at 30 H/s.

 

[dillweed81]

rdx[/url]"frasq5e]

dillweed81[/url]"frasq5e]

rdx[/url]"frasq5e]

dillweed81[/url]"frasq5e](Please read my post before blindly downvoting me for taking issue with epixoip's remarks. epixoip is a professional password cracker, not a professional penetration tester. He cares about cracking massive data sets, which does not always align with black hat goals.)

In my opinion he is being misleading, even though he's correct.

I work in infosec and have participated in some red team exercises. My personal fear in these scenarios is not the entire database being cracked, it's a targeted attacker who singles me out and dedicates boxes to doing nothing but trying to crack just my account's password hash. This is an extremely common tactic used by black hats and by white hat pentesters.

Scrypt or bcrypt would mitigate this much more than iterated MD5, unless the iterations are closer to what the industry recommends. OWASP's recommendations for PBKDF2 are 128,000 iterations in 2014, and that's also recommending SHA1 or SHA-256, not MD5. If you compare SHA1's speed with MD5, I would guess that 150k or 200k would be the recommendation for MD5 (it is easy to calculate the exact number if someone wants to). 150,000 is a lot higher than 2,048.

Sure, the vast majority of users here probably will never be targeted in such a way, but undoubtedly at least a few will be. PHPass is certainly much better than just salted single-round MD5, but it's not good either.

The only numbers epixoip gave were how hard it would be to crack the entire data set containing every Ars account. Ars has a ton of users and each hash is salted, so obviously this would take a long time, and would take a far longer time than it would take if the algorithm was merely a single md5($salt . $password). But it is still not very secure for the reasons I listed above. Most people are (probably) going to be safe sheerly because they're a needle in a large haystack, not because the hash is strong.

Marshalrusty[/url]"frasq5e]epixoip did an absolutely excellent job explaining how PHPass works and why it is nothing like a plain md5 hash.

It is a bit shocking how many commenters went from "I have seen md5 mentioned in prior articles a few times" to "I am an expert on cryptography and clearly Ars, phpBB, etc. don't know what they're doing and don't take security seriously." As a matter of fact, we take matters of security extremely seriously. PHPass was chosen because it is a strong choice that works on a wide range of setups. It is certainly going to get the job done here. On our newest version, phpBB 3.1, there is support for bcrypt for an even stronger hash.

Yuriy Rusko
Project Manager, phpBB

Sorry, but just because the function has a fancy name does not mean it is magically good.

The source code is right here:

https://github.com/phpbb/phpbb/blob/pre ... s.php#L585

With 2,048 iterations, it is roughly 4,000x slower than a single round of MD5. This is much better than MD5 but is still much faster than what industry standards recommend. The rounds would have to be set to 130-200k to get closer to industry standards.

Obviously it could be configured to use that many rounds, but Ars did not configure it that way (possibly due to performance concerns).

Unless your threat model for Ars is someone exfiltrating the passwords DB and working on some extremely worthy target hash for month(s) unnoticed, this doesn't make much sense.

12 character lower-case random password would already take 50 years on a rig like this, and simply throwing in digits would raise that to 2000 years. I'd think most passwords would expire by then. A state-level resourceful actor with a thousand of those rigs *could* extract all lowercase 12 character pass in possibly meaningful period - and would be defeated by switching to full ASCII random.

This only gives a little grace period for extremely weak passwords on the order of 8 [0-9a-z] random characters. Dictionary crackable passwords wouldn't profit from this at all, as moving from seconds/hours to minutes/day won't help in this case.

The database has already (likely) been exilftrated. That's the entire point of this thread...

You're absolutely right that a *strong* 12 character password, such as a random all-lowercase password, would be very hard to crack. But that'd still take a (relatively speaking) long time to crack even on 1 round of MD5.

Password cracking is usually about cracking non-ideal passwords. Many users here probably do not have strong passwords. Most people use words and common number schemes in their passwords, and applications like HashCat are very good at cracking them (wordlist permutations, attempts at common patterns, and lots of other techniques). So a weak or "medium" 12 character password may certainly be in trouble.

You've already switched from a targeted hack to a shotgun one. If you're going after all accounts, that "effective 3 H/s per account" metric kicks in. It's still days to weeks to go through a RockYou-sized wordlist, even before switching to smarter methods. And even after wordlist pass sweeps away 90% of QWERTYs and 12345s, you're stilll looking at 30 H/s.

Nope, still talking about targeted. Whether they are singled out or are part of the whole batch, an average user here probably has a password which is weaker than that.

I'm not trying to be contrarian. Yes, cracking 70% or more of the whole DB is still going to take a very long time even if most people have weak passwords. Targeting is still the primary risk.

 

[Bengie25]

235711131719232931[/url]":15sk6qex]

Bengie25[/url]":15sk6qex]

With rainbow tables, the individual crack isn't faster, but the group crack is.

I think you may be misunderstanding what rainbow tables do: https://en.wikipedia.org/wiki/Rainbow_table. If you have rainbow tables, cracking even a single account is much faster.

Umm, no. All a rainbow table allows you to do is re-use the same computed hash to check against multiple accounts at once, but salting breaks this. If you have pre-computed hash tables, then it's faster because you don't need to do the work of computing anything, you just do look-ups. This is specific to the exact implementation of hashing used.

The time of breaking a given account is no faster, but it is faster to break many accounts.

 

[CppThis]

logic_88[/url]":2eqo0akr]

dillweed81[/url]":2eqo0akr]
A 12-character password will still end up being pretty strong, unless it's just a dictionary word or multiple dictionary words or some easy permutation of either of those. You'll likely find that even on a tech site like Ars, though, a great deal many people will have passwords that are 8 or fewer characters long.

Does it matter if I use a strong password or not for Ars?

Aside from an email address, I don't have any personal information stored here.

My take on this is that it depends on what else you use your username/email for, and whether that stuff is something that being compromised would hurt. Basically, imagine worst case, they find a way into your email account and use social engineering to get the rest...how badly are you impacted? For some it's going to be very bad--they have a single email/Facebook/etc that's all interconnected--and for others who aggressively manage multiple online personas the risk is much lower.

 

[epixoip]

dillweed81[/url]":2z7sqc8g]epixoip is a professional password cracker, not a professional penetration tester. He cares about cracking massive data sets, which does not always align with black hat goals. I work in infosec and have participated in some red team exercises.

Slow down, cowboy. Not only am I a professional penetration tester (I consult on the side for a large security consulting services company), but I too have an extensive background in Infosec, having run the security & compliance department at a publicly-traded company for a number of years.

But you are correct, salts do nothing to slow down an attacker targeting a single account. And yes, bcrypt would have been better than PHPass. As I said, it's not the best choice, but I still stand by my statement that it is an appropriate choice. As you work in Infosec, I'm sure you're familiar with the concept of Threat Modeling.

dillweed81[/url]":2z7sqc8g]
With 2,048 iterations, it is roughly 4,000x slower than a single round of MD5. This is much better than MD5 but is still much faster than what industry standards recommend. The rounds would have to be set to 130-200k to get closer to industry standards. Obviously it could be configured to use that many rounds, but Ars did not configure it that way (possibly due to performance concerns).

Actually it can't, PHPass only supports up to 2^16 rounds. It should further be noted that OWASP is not the authority on password hashing, and certainly not the standard. Currently, there is no standard, and that's a large part of why the Password Hashing Competition exists.

 

[Bengie25]

another ars account[/url]":1d9gv4e6]

Bengie25[/url]":1d9gv4e6]
I know how salting works. If I was an attacker, and I was going for a specific account, salting would add relatively little overhead to breaking that one account.

Not to disagree with you on this technically, but given that the attacker defaced the site I doubt their intension was a targeted attack against a given account.

On the other hand, if they dump all the account details, other motivated individuals may take that approach.

I wasn't primary trying to focus on focused attacks, but I said how fast "hashing" is with it without salt is not the same as the number of operations required to break N number of accounts. Hashing is the operation. Salting does increase the number of hashing operations by N, but it makes little difference to the rate of hashing.

 

[Deleted member 276317]

Sorry. In this case, seven pages is too many for me to go through right now. Any plans to start salting and hashing e-mail addresses? I get enough spam as it is

 

[ImpossiblyStupid]

locolocol[/url]":9r4qbxx5]Yea, someone else already said it but the bigger concern is the leakage of email address. Look out for phishing attacks now! That and of course folks who reuse passwords cross multiple sites...still.

Honestly, in this day and age, reusing email addresses across multiple sites is just as misguided as reusing passwords. Just like every other site I use, Ars got both a unique email address and a unique password (BoWFNLtm7iXm16TtU, since people seem to be sharing . I did change my email, too, but the old one is going to still remain valid (and relatively secret) because I want to be able to track it and see if it does end up in the hands of spammers/scammers.

 

[achbed]

ZOMG NOT MY ARS COINS?! THEY'RE ALL GONE!!! oh wait.

 

[epixoip]

dillweed81[/url]":q5qeho6n]OWASP's recommendations for PBKDF2 are 128,000 iterations in 2014

I am unable to find where OWASP recommends 128,000 iterations in neither their article on password hashing, nor their article specifically pertaining to PBKDF2.

So where did this number come from?

 

[Batmanuel]

Eh, the password for Ars that I used was my lowest security default for comment systems, so if the database is hacked it only gives someone access to Fark and Disqus, so I honestly don't even know if it is worth the trouble to think up another one.

 

[dimhue]

Thoughtful[/url]":32yhgcxg]Sorry. In this case, seven pages is too many for me to go through right now. Any plans to start salting and hashing e-mail addresses? I get enough spam as it is

Ars uses your email to communicate with you. If they hash/salt it, they wouldn't be able to send you emails. Or is there something I'm missing?

 

[rdx]

dillweed81[/url]":2h7pyv7v]

rdx[/url]":2h7pyv7v]

dillweed81[/url]":2h7pyv7v]

rdx[/url]":2h7pyv7v]

dillweed81[/url]":2h7pyv7v](Please read my post before blindly downvoting me for taking issue with epixoip's remarks. epixoip is a professional password cracker, not a professional penetration tester. He cares about cracking massive data sets, which does not always align with black hat goals.)

In my opinion he is being misleading, even though he's correct.

I work in infosec and have participated in some red team exercises. My personal fear in these scenarios is not the entire database being cracked, it's a targeted attacker who singles me out and dedicates boxes to doing nothing but trying to crack just my account's password hash. This is an extremely common tactic used by black hats and by white hat pentesters.

Scrypt or bcrypt would mitigate this much more than iterated MD5, unless the iterations are closer to what the industry recommends. OWASP's recommendations for PBKDF2 are 128,000 iterations in 2014, and that's also recommending SHA1 or SHA-256, not MD5. If you compare SHA1's speed with MD5, I would guess that 150k or 200k would be the recommendation for MD5 (it is easy to calculate the exact number if someone wants to). 150,000 is a lot higher than 2,048.

Sure, the vast majority of users here probably will never be targeted in such a way, but undoubtedly at least a few will be. PHPass is certainly much better than just salted single-round MD5, but it's not good either.

The only numbers epixoip gave were how hard it would be to crack the entire data set containing every Ars account. Ars has a ton of users and each hash is salted, so obviously this would take a long time, and would take a far longer time than it would take if the algorithm was merely a single md5($salt . $password). But it is still not very secure for the reasons I listed above. Most people are (probably) going to be safe sheerly because they're a needle in a large haystack, not because the hash is strong.

Marshalrusty[/url]":2h7pyv7v]epixoip did an absolutely excellent job explaining how PHPass works and why it is nothing like a plain md5 hash.

It is a bit shocking how many commenters went from "I have seen md5 mentioned in prior articles a few times" to "I am an expert on cryptography and clearly Ars, phpBB, etc. don't know what they're doing and don't take security seriously." As a matter of fact, we take matters of security extremely seriously. PHPass was chosen because it is a strong choice that works on a wide range of setups. It is certainly going to get the job done here. On our newest version, phpBB 3.1, there is support for bcrypt for an even stronger hash.

Yuriy Rusko
Project Manager, phpBB

Sorry, but just because the function has a fancy name does not mean it is magically good.

The source code is right here:

https://github.com/phpbb/phpbb/blob/pre ... s.php#L585

With 2,048 iterations, it is roughly 4,000x slower than a single round of MD5. This is much better than MD5 but is still much faster than what industry standards recommend. The rounds would have to be set to 130-200k to get closer to industry standards.

Obviously it could be configured to use that many rounds, but Ars did not configure it that way (possibly due to performance concerns).

Unless your threat model for Ars is someone exfiltrating the passwords DB and working on some extremely worthy target hash for month(s) unnoticed, this doesn't make much sense.

12 character lower-case random password would already take 50 years on a rig like this, and simply throwing in digits would raise that to 2000 years. I'd think most passwords would expire by then. A state-level resourceful actor with a thousand of those rigs *could* extract all lowercase 12 character pass in possibly meaningful period - and would be defeated by switching to full ASCII random.

This only gives a little grace period for extremely weak passwords on the order of 8 [0-9a-z] random characters. Dictionary crackable passwords wouldn't profit from this at all, as moving from seconds/hours to minutes/day won't help in this case.

The database has already (likely) been exilftrated. That's the entire point of this thread...

You're absolutely right that a *strong* 12 character password, such as a random all-lowercase password, would be very hard to crack. But that'd still take a (relatively speaking) long time to crack even on 1 round of MD5.

Password cracking is usually about cracking non-ideal passwords. Many users here probably do not have strong passwords. Most people use words and common number schemes in their passwords, and applications like HashCat are very good at cracking them (wordlist permutations, attempts at common patterns, and lots of other techniques). So a weak or "medium" 12 character password may certainly be in trouble.

You've already switched from a targeted hack to a shotgun one. If you're going after all accounts, that "effective 3 H/s per account" metric kicks in. It's still days to weeks to go through a RockYou-sized wordlist, even before switching to smarter methods. And even after wordlist pass sweeps away 90% of QWERTYs and 12345s, you're stilll looking at 30 H/s.

Nope, still talking about targeted. Whether they are singled out or are part of the whole batch, an average user here probably has a password which is weaker than that.

I'm not trying to be contrarian. Yes, cracking 70% or more of the whole DB is still going to take a very long time even if most people have weak passwords. Targeting is still the primary risk.

Well, defining this risk is exactly where we disagree. Your assumed target is (a) worthy enough to hack random forums, while also (b) using 8 character level weak password and (c) reusing it on more important accounts. While increasing hash strength could be worth it just to account for hardware growth, I don't think phpBB developers consider this scenario as very likely for their forum's use cases.

 

[Lythimus]

I just checked. My account here is so old, that it's using my absolute weakest password. I'll have to make sure to update my AskJeeves and Geocites accounts lest they be hacked, haha.

 

[SavedByTechnology]

Shit happens. Password changed, life is good again. Thanks Ars for letting us know.

 

[edrowland]

I don't suppose you could reduce the password strength checks, could you? Please.

This isn't a site that merits a strong password; and your password check algorithm rejects my standard sacrificial password.

 

[rhtrar]

wow, I have to say it's totally awesome to see an important article like this show up on ars technica and then immediately have several password experts weight in on the issue. Granted, I don't know if you guys really are cryptography experts and I haven't looked at your CVs, I'll just take ars' word on it. Good stuff, Ars Technica staff. kudos for the super fast reporting to your clientele, unlike some big companies...

edit: also...shouldn't this be at the very top of the page??? thank god i scrolled down or i wouldn't have seen this.

 

[DrCzcechyl]

Thank You for letting us know!!!! This is one of many reasons why I will stay a Ars reader. It is nice to see there are still companies that will not hide stuff from their customers/readers.

 

[Dark Steve]

kakti[/url]":ej0t5c1o]

StarKruzr[/url]":ej0t5c1o]I am sad there are no screenshots.

Ask and you shall receive

Oh! I saw the defaced homepage myself but didn't notice the hidden "e" at the end of "Ars". I did notice the "Arse Technica" in the title though. Firefox presented me with a "Flash has been disabled" message so I didn't hear any music.

Thanks kakti!

 

[teeedubb]

Why have passwords not been reset on this site after the breach?

 

[Noman1000]

Glad I use a password manager. This is actually the first time (That I know of) where a place I had my account has been hacked, and it actually wasn't a big deal!

 

[blue32]

The following is on topic but in a round-about way.
I was just answering a question from my girlfriend regarding what i thought about her son (11) wanting to download a mod to a game on steam that changes a single player game to a multi-player IF she agreed to let the son open a vpn connection to the mod-programmers private computer/server to do it. The mod is made by someone unrelated to the original game itself.
My answer started with "Well...(then as we talked, I opened my home page which happens to be Ars, and saw this article which i promptly sent her the link)...if the mod-programmer is a responsible company they will respond with any kind of breeches the way Ars did. If they arent....well..the road to hell is paved with good intentions and it will only take one bad person to exploit that vpn and BAM there goes all the computers its connected too." Yes, I will admit to being naive on VPN usage when it comes to games. That said, it is also not the point. Ars is illustrating what it means to be a good steward of their site.
I have used Ars for my own jumping point at times to learn more, to give examples to friends, and to read leisurely. Thank you for your transparency, and willingness to do what you're doing.

 

[protocelt]

https://www.phpbb.com/community/viewtop ... &t=1186015

... Almost want to put on my tinfoil hat... almost.

And thanks for the heads up Ars

 

[Deleted member 192806]

blue32[/url]":1v7qt5y0]The following is on topic but in a round-about way.
I was just answering a question from my girlfriend regarding what i thought about her son (11) wanting to download a mod to a game on steam that changes a single player game to a multi-player IF she agreed to let the son open a vpn connection to the mod-programmers private computer/server to do it. The mod is made by someone unrelated to the original game itself.
My answer started with "Well...(then as we talked, I opened my home page which happens to be Ars, and saw this article which i promptly sent her the link)...if the mod-programmer is a responsible company they will respond with any kind of breeches the way Ars did. If they arent....well..the road to hell is paved with good intentions and it will only take one bad person to exploit that vpn and BAM there goes all the computers its connected too." Yes, I will admit to being naive on VPN usage when it comes to games. That said, it is also not the point. Ars is illustrating what it means to be a good steward of their site.
I have used Ars for my own jumping point at times to learn more, to give examples to friends, and to read leisurely. Thank you for your transparency, and willingness to do what you're doing.

Ars: the Mr Rogers of the internet.

 

[Sc00bz]

epixoip[/url]":3qb69ez2]

dillweed81[/url]":3qb69ez2]OWASP's recommendations for PBKDF2 are 128,000 iterations in 2014

I am unable to find where OWASP recommends 128,000 iterations in neither their article on password hashing, nor their article specifically pertaining to PBKDF2.

So where did this number come from?

I wouldn't take OWASP as an authority on password hashes when they suggest PBKDF2-HMAC-SHA1 with an output of 192 bits...

That said PBKDF2's minimum suggested iteration count in 2000 was 1,000 and should probably double ever 2 years so 2^((2014-2000)/2)*1,000=128,000. This is where that number comes from I know I've said similar a few years ago.

 

[doubledeej]

leedo[/url]":2yfqmj5v]

pk![/url]":2yfqmj5v]MD5, really? After having printed several articles on password cracking I'd have hoped you'd at least have leveraged a stronger hashing algorithm.

We agree that it isn't ideal. Our comments are powered by phpBB, which hashes with 2048 iterations of MD5 + random salt. You can view the source here: https://github.com/phpbb/phpbb/blob/pre ... s.php#L459

We'll take a look at what would be involved in switching to something stronger. And eventually we will likely be moving away from phpBB.

edit: it should be noted that phpBB is using MD5 here because they target older versions of PHP that may only have MD5 available.

MD5 can be used in an HMAC, which is more secure than a hash.

 

[foxyshadis]

pqr[/url]":1i4p5m25]

epixoip[/url]":1i4p5m25]

pqr[/url]":1i4p5m25]
Figured out how this detour could have been avoided. Units of that rate should be 3 hashes/sec/account Whereas I thought you were solving different problem (unknown salt-assignment) which means 3 hashes/sec/salt for given account.

No, I'm afraid you're still not getting it. I was most certainly not solving the problem of unknown salt assignment. Again, my calculations were with a known salt for each hash.

The overall effective speed of the entire attack would be 3 H/s. As in, if you were to load this list up in oclHashcat and start cracking it, oclHashcat would report the speed as 3 H/s. As in, you can only try three candidate passwords per second against all hashes.

Again, the reason for this is because each plaintext candidate has to be re-hashed with each unique salt. This is where your factor of N slowdown comes from. So if you have 1M salts, you have to hash one candidate 1M times in order to compare it to the hash list.

Funny that both Dan and you feel the need to keep restating the obvious in your last posts. Be it. I explained clearly what I thought you were originally doing. It should also be evident that I have been using past tense in the last couple posts, i.e., I know that you had something else in mind. I have no further thing to say as both definitions are clear*, they are different, and meaningful in different contexts. So be not afraid, I am very much getting it (perhaps you are not getting this last statement, or not wanting to, but that I leave to you to deal with).

*EDIT: heck, even conversion between the two is trivial

The right way to say this and not get downvoted into oblivion is "My bad, I see what you're saying now." You're not saving your reputation with any of this, not when arguing with actual recognized experts.

 

[oscarcharliezulu]

I am outraged by those attempting to shut down those people who are outraged by this situation and yet who don't know anything about what they are talking about. To assuage (assange?) my outrage I will now go and drink a beer and read some more. Good job ARS, good read.

 

[foxyshadis]

Sc00bz[/url]":4un00p48]

epixoip[/url]":4un00p48]

dillweed81[/url]":4un00p48]OWASP's recommendations for PBKDF2 are 128,000 iterations in 2014

I am unable to find where OWASP recommends 128,000 iterations in neither their article on password hashing, nor their article specifically pertaining to PBKDF2.

So where did this number come from?

I wouldn't take OWASP as an authority on password hashes when they suggest PBKDF2-HMAC-SHA1 with an output of 192 bits...

That said PBKDF2's minimum suggested iteration count in 2000 was 1,000 and should probably double ever 2 years so 2^((2014-2000)/2)*1,000=128,000. This is where that number comes from I know I've said similar a few years ago.

There comes a point when you have to admit you're a wee bit overly paranoid, unless you have the nuclear launch codes in your pocket. Besides, adding one character every 5 years is far better than doubling iterations every 2 years; make sure you always stay away from anything on a known-password list and you'll be fine. Meanwhile, known passwords will soon be breached no matter how many iterations you try to use.

 

[logic_88]

CppThis[/url]":1ta7w0q6]

logic_88[/url]":1ta7w0q6]

Does it matter if I use a strong password or not for Ars?

Aside from an email address, I don't have any personal information stored here.

My take on this is that it depends on what else you use your username/email for, and whether that stuff is something that being compromised would hurt. Basically, imagine worst case, they find a way into your email account and use social engineering to get the rest...how badly are you impacted? For some it's going to be very bad--they have a single email/Facebook/etc that's all interconnected--and for others who aggressively manage multiple online personas the risk is much lower.

I guess for those folks that reuse passwords, it might be a big deal but since I use a unique password for Ars, I'm not even going to bother changing my password. If the hackers really want to post as me, they're welcomed to.

 

[Marcos2247]

logic_88[/url]":3reptsqm]

dillweed81[/url]":3reptsqm]
A 12-character password will still end up being pretty strong, unless it's just a dictionary word or multiple dictionary words or some easy permutation of either of those. You'll likely find that even on a tech site like Ars, though, a great deal many people will have passwords that are 8 or fewer characters long.

Does it matter if I use a strong password or not for Ars?

Aside from an email address, I don't have any personal information stored here.

I don't care either.

I use this username only on Ars. The password I reuse everywhere. The e-mail address was a trashmail account that was valid for 10 minutes.

Could not care less.

 

[rwxatc]

vampireaquid[/url]":1lz7ntgo]Thanks for the headsup. Times like this make me happy I bought 1Password.

Agreed but with a different solution. (I didn't time it, but I changed my pw in like 15 seconds...)

I try to tell all my Apple-toting friends how great the iCloud Keychain is once you set it up and change all your passwords and (insofar as possible) login names (too bad these are often either an email address or the actual screen name) to long random strings.

Benefits of iCK as a password manager:
1. Eliminates risk due to cross-site reuse of authentication pairs;
2. If used across an Apple ecosystem it eliminates having to remember anything but your Apple ID pw and your iCK pin code;
3. Makes changing authentication data a snap;
4. Is encrypted backed-up to icloud and itunes (encryption for iT is opt-in);
5. Eliminates reused or weak passwords, need to maintain a password list.
6. Recommendations:
a. Enable Apple 2FA and save a copy of the recovery key in a safe place;
b. Set a strong AppleID pw and don't share it or use it on an unknown computer (here the risk is mitigated by iCK requiring permission from a trusted computer before exposing the keychain.)

 

[epixoip]

Sc00bz[/url]":wqiq2bta]

epixoip[/url]":wqiq2bta]

dillweed81[/url]":wqiq2bta]OWASP's recommendations for PBKDF2 are 128,000 iterations in 2014

I am unable to find where OWASP recommends 128,000 iterations in neither their article on password hashing, nor their article specifically pertaining to PBKDF2.

So where did this number come from?

I wouldn't take OWASP as an authority on password hashes when they suggest PBKDF2-HMAC-SHA1 with an output of 192 bits...

That said PBKDF2's minimum suggested iteration count in 2000 was 1,000 and should probably double ever 2 years so 2^((2014-2000)/2)*1,000=128,000. This is where that number comes from I know I've said similar a few years ago.

Hi Steve!

Yeah, OWASP can be a decent resource for some things, but they're hardly an authority by any stretch of the imagination.

Anyway, 128k iterations is probably fine for key derivation, but I'm not sure I'd ever recommend anything near that for password hashing. But then again also I'd never recommend just blindly following someone's advice on iteration count. Should always be chosen based on benchmarks and metrics.