Ars was briefly hacked yesterday; here’s what we know

Readers, please change your passwords.

Read the whole story

 

[rwxatc]

Frankly, if I had to chose, and given no passwords* are reused by me, I think I would rather have my email addy encrypted rather than my password. (Since my email addy is in use all over the place and makes possible delivery of pishing mails into my inbox.)

* spell check changed a typo here into "swords" LoL.

 

[Sc00bz]

foxyshadis[/url]":3dqcqy2r]

Sc00bz[/url]":3dqcqy2r]
That said PBKDF2's minimum suggested iteration count in 2000 was 1,000 and should probably double ever 2 years so 2^((2014-2000)/2)*1,000=128,000. This is where that number comes from I know I've said similar a few years ago.

There comes a point when you have to admit you're a wee bit overly paranoid, unless you have the nuclear launch codes in your pocket. Besides, adding one character every 5 years is far better than doubling iterations every 2 years; make sure you always stay away from anything on a known-password list and you'll be fine. Meanwhile, known passwords will soon be breached no matter how many iterations you try to use.

But Moore's law, I'm pretty sure a PBKDF2 cracker running on a 290X is more than 128 times faster than on a Pentium III (or an original Pentium 4 (RFC for PBKDF2 was September 2000 and Pentium 4 was released November 2000)).

epixoip[/url]":3dqcqy2r]
Hi Steve!

Yeah, OWASP can be a decent resource for some things, but they're hardly an authority by any stretch of the imagination.

Anyway, 128k iterations is probably fine for key derivation, but I'm not sure I'd ever recommend anything near that for password hashing. But then again also I'd never recommend just blindly following someone's advice on iteration count. Should always be chosen based on benchmarks and metrics.

Yes, I would not really recommend PBKDF2 with 128k iterations because it's slow as shit. Since it can't take advantage of SSE2, AVX2, or AVX512 (soon). The problem with PBKDF2 is that Moore's law went parallel and PBKDF2 is sequential. Thus over time, hurting the defender.

Also PBKDF2 with 1,000 iterations back in 2000 was for optimized compiled code not PHP. So really as a defender you need to lower your iteration count because your code runs slower. This sucks but otherwise it will take too long.

 

[epixoip]

Sc00bz[/url]":dbvzcf73]

epixoip[/url]":dbvzcf73]
Anyway, 128k iterations is probably fine for key derivation, but I'm not sure I'd ever recommend anything near that for password hashing. But then again also I'd never recommend just blindly following someone's advice on iteration count. Should always be chosen based on benchmarks and metrics.

Yes, I would not really recommend PBKDF2 with 128k iterations because it's slow as shit. Since it can't take advantage of SSE2, AVX2, or AVX512 (soon). The problem with PBKDF2 is that Moore's law went parallel and PBKDF2 is sequential. Thus over time, hurting the defender.

Also PBKDF2 with 1,000 iterations back in 2000 was for optimized compiled code not PHP. So really as a defender you need to lower your iteration count because your code runs slower. This sucks but otherwise it will take too long.

Excellent points indeed!

 

[Xiao-zhi]

Yes, I saw that and the discussion that followed in the forum.

Thanks for the heads-up on PW.

 

[drukov]

dillweed81[/url]":27a9dby2]

drukov[/url]":27a9dby2]

epixoip[/url]":27a9dby2]

If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

That's completely wrong. Salts do not slow down bruteforce cracking beyond obscuring users who use the same password.

The effective speed is still 3 MH/s.

Regardless, my password has at least 64 bits of entropy according to KeePass. And typing this into google reveals: (2^64 / 3 million) seconds = 194852 years.

Overall, you are correct, just that comment about salting is bizarre.

Read my post above. His comment about salting is weird until you understand he's talking about the effort required to crack the entire dataset. Obviously it does nothing when you look at it on a user-by-user basis.

that would be assuming that out of a thousand accounts, every other one shares a password

 

[Deleted member 276317]

darkshade[/url]"u4dcc92]

Thoughtful[/url]"u4dcc92]Sorry. In this case, seven pages is too many for me to go through right now. Any plans to start salting and hashing e-mail addresses? I get enough spam as it is

Ars uses your email to communicate with you. If they hash/salt it, they wouldn't be able to send you emails. Or is there something I'm missing?

Dunno. Is it technologically impossible to be able to decrypt as needed rather than storing in plain text?

 

[netsumzero]

Thoughtful[/url]":18b4yy6z]

darkshade[/url]":18b4yy6z]

Thoughtful[/url]":18b4yy6z]Sorry. In this case, seven pages is too many for me to go through right now. Any plans to start salting and hashing e-mail addresses? I get enough spam as it is

Ars uses your email to communicate with you. If they hash/salt it, they wouldn't be able to send you emails. Or is there something I'm missing?

Dunno. Is it technologically impossible to be able to decrypt as needed rather than storing in plain text?

Yes, because that would defeat the entire purpose of hashing in the first place.

 

[Deleted member 276317]

Tolstoy[/url]":1t4v081o]

Thoughtful[/url]":1t4v081o]

darkshade[/url]":1t4v081o]

Thoughtful[/url]":1t4v081o]Sorry. In this case, seven pages is too many for me to go through right now. Any plans to start salting and hashing e-mail addresses? I get enough spam as it is

Ars uses your email to communicate with you. If they hash/salt it, they wouldn't be able to send you emails. Or is there something I'm missing?

Dunno. Is it technologically impossible to be able to decrypt as needed rather than storing in plain text?

Yes, because that would defeat the entire purpose of hashing in the first place.

Maybe I have the terminology wrong but if the decryption key is stored separately from the encrypted data, and it's only useful for decryption of e-mail addresses...

edit: It's occurred to me that many users may have chosen to receive e-mail notification regarding post replies, etc. in which case it might be impractical to constantly decrypt those addresses. Maybe there could be an option to encrypt on a per-user basis with an agreement that therefore you'll be unable to receive those sorts of notifications and no more than one password reset per month...Or something. Please find a way to protect my data!

 

[Melzeebub92]

Abhi Beckert[/url]":lesvte68]

hashed using 2,048 iterations of the MD5 algorithm and salted with a random series of characters

I hope you're going to change that soon? 2,048 iterations is not enough to prevent a brute force attack on MD5.

Please switch to something "memory-hard" like scrypt.

Nothing is enough to stop brute force. The time to crack gets exponentially longer per character but given time everything will fall to brute force. You can downvote if you like but that is fact.

 

[Stubabe]

doubledeej[/url]":2lp34be2]

leedo[/url]":2lp34be2]

pk![/url]":2lp34be2]MD5, really? After having printed several articles on password cracking I'd have hoped you'd at least have leveraged a stronger hashing algorithm.

We agree that it isn't ideal. Our comments are powered by phpBB, which hashes with 2048 iterations of MD5 + random salt. You can view the source here: https://github.com/phpbb/phpbb/blob/pre ... s.php#L459

We'll take a look at what would be involved in switching to something stronger. And eventually we will likely be moving away from phpBB.

edit: it should be noted that phpBB is using MD5 here because they target older versions of PHP that may only have MD5 available.

MD5 can be used in an HMAC, which is more secure than a hash.

All of which is irrelevant for password hashing and key derivation. MD5 is not invertible, there are only known (chosen prefix) collision attacks on it which are of no relevance here. From the point of password hashing HMAC-MD5 is simply 2x slower because it internally calls MD5 twice.

 

[harsaphes]

Just changed my password to LoveMom123, from LoveUMom123. I feel much better, thanks!

 

[Abhi Beckert]

Melzeebub92[/url]":1a2z3pzo]

Abhi Beckert[/url]":1a2z3pzo]

hashed using 2,048 iterations of the MD5 algorithm and salted with a random series of characters

I hope you're going to change that soon? 2,048 iterations is not enough to prevent a brute force attack on MD5.

Please switch to something "memory-hard" like scrypt.

Nothing is enough to stop brute force. The time to crack gets exponentially longer per character but given time everything will fall to brute force.

Not true. One Time Pads for example are impossible to brute force.

 

[Melzeebub92]

Abhi Beckert[/url]":168ijrsp]

Melzeebub92[/url]":168ijrsp]

Abhi Beckert[/url]":168ijrsp]

hashed using 2,048 iterations of the MD5 algorithm and salted with a random series of characters

I hope you're going to change that soon? 2,048 iterations is not enough to prevent a brute force attack on MD5.

Please switch to something "memory-hard" like scrypt.

Nothing is enough to stop brute force. The time to crack gets exponentially longer per character but given time everything will fall to brute force.

Not true. One Time Pads for example are impossible to brute force.

Are you suggesting Ars use One Time Pads for authentication?

 

[sd4f]

And this is why I use spam account with a fake name, and no personal contacts and various passwords.

Couldn't even be bothered changing my password at this stage.

 

[Bertie Wooster]

Marcos2247[/url]":222l2otj]

logic_88[/url]":222l2otj]

dillweed81[/url]":222l2otj]
A 12-character password will still end up being pretty strong, unless it's just a dictionary word or multiple dictionary words or some easy permutation of either of those. You'll likely find that even on a tech site like Ars, though, a great deal many people will have passwords that are 8 or fewer characters long.

Does it matter if I use a strong password or not for Ars?

Aside from an email address, I don't have any personal information stored here.

I don't care either.

I use this username only on Ars. The password I reuse everywhere. The e-mail address was a trashmail account that was valid for 10 minutes.

Could not care less.

I am not an expert, but what you do does not seem a very good idea. Using the same password but unique IDs for each site seems weird: If a hacker someohow got your password from a site, then they would simply add that password to their dictionary (or whatever they call it) and use that for the databases of other sites (as your ID there is either stored in plain text, or available as a screen name or something_). Am I missing something?

 

[Violynne]

No need to change my password. It's unique to this site and there's absolutely no personal information stored on the account.

However, if I seemingly start to troll this site by making comments which seem out of the ordinary, I give Ars full permission to ban/delete the account.

It's not as though I post much anyway.

 

[Jim Z]

Marshalrusty[/url]":9t3smfvs]epixoip did an absolutely excellent job explaining how PHPass works and why it is nothing like a plain md5 hash.

It is a bit shocking how many commenters went from "I have seen md5 mentioned in prior articles a few times" to "I am an expert on cryptography and clearly Ars, phpBB, et al. don't know what they're doing and don't take security seriously." As a matter of fact, we take matters of security extremely seriously. PHPass was chosen because it is a very strong option that works on a wide range of setups. It is certainly getting the job done here with flying colors. If that weren't the case, neither phpBB nor Ars would be using it.

On our newest version, phpBB 3.1, there is support for bcrypt for an even stronger hash. We are more than happy to assist in any way we can to get Ars upgraded in due course.

Yuriy Rusko
Project Manager, phpBB

Hi, welcome to the internet

"I heard of something, therefore I know all I need to know about it" is par for the course.

 

[BobCov]

I absolutely love it when somebody who absolutely knows what he's talking about walks all over those who think they do and just shuts them down with the facts. Excellent MD5 schooling session.

 

[gmerrick]

cheriff[/url]":bl9f6jh8]When the article states that payment info was not compromised, does that mean for sure nothing at all?

On the account settings page I see my credit card type and last 4 digits being displayed to me. Not that this is any great secret in and of itself, but I'd still appreciate knowing whether this redacted payment info is in the same database as the possibly compromised one.

At the very least I know which statement to keep a closer eye on, just in case.

unless I am mistaken PCI regulations forbid vendors from storing this information in the first place. The only time you should be entering your CC info is when you pay for something online. After the fact, the vendor should not be keeping that information.

 

[cale leaf]

Any chance of an "anatomy of a hack"-type article when all the running around is over?

It does seem like the situation now is: if you are using a pw manager not only is the pw nigh-on uncrackable, all it gets an attacker is access to a forum account. In all honesty I'm struggling to see how that is even remotely financially worthwhile. A human password is more valuable not only because it costs less actual money to crack, it's more likely to be linked to more valuable accounts.

So there's really no point trying to make a complex human-memorised pw on a non-crucial site - all it does is potentially force you into sharing pw's with accounts where more than karma is at stake.

 

[IagoRubio]

Damn it, I had to change my unique-for-ars beloved password UY766UYHKI88/UI2312%& ... now I will have to choose a new random password I will never be able to remember.

Damned hackers.

OTOH, have not read all comments of course so excuse me if somewhere there have been an update on this, are there any news on how the cracker got access ?

 

[locolocol]

epixoip[/url]":3lam3jrl]Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney. You might remember me from here, here, here, here, here, here, or even here or here.

I would like to take a minute to address some of the comments being made about the password hashing algorithm that is used by the forum software Ars is using. Let's have a look at some of those comments.

pk![/url]":3lam3jrl]MD5, really? After having printed several articles on password cracking I'd have hoped you'd at least have leveraged a stronger hashing algorithm.

Abhi Beckert[/url]":3lam3jrl]
2,048 iterations is not enough to prevent a brute force attack on MD5.

d0x[/url]":3lam3jrl]
Seriously? Ars themselves have posted many articles about this very method of encrypted password storage to be easily breakable either via brute force or with rainbow tables.

Threz_[/url]":3lam3jrl]One the one hand, Ars calls the use of MD5 hashes for storing passwords as "unfortunate and irresponsible", and on the other (above) uses it as a way to argue that the passwords were well-"encrypted." Which is it?

FF22[/url]":3lam3jrl]
No wonder your server was hacked if you really thought running MD5 multiple thousand times over the password would harden the hashes by any means. If anything, it weakened them.

Wow. Powerful stuff there. Too bad these armchair experts are all dead wrong.

First, when we talk about MD5 being a poor and irresponsible choice for password hashing, we're talking about raw MD5. As in a single, unsalted iteration of MD5. As in md5($pass). And as the keen Ars reader will note, the reason this is a bad choice has nothing to do with any cryptographic weakness in the MD5 algorithm itself. It's simply because MD5 is very fast and very amenable to acceleration.

One of the ways we make an algorithm resistant to acceleration is to salt it and iterate it. And no, iterating a hash does not weaken it, that's utter horseshit. Iterating a hash is what almost all password hashing algorithms do, including all crypt(3) algorithms, PBKDF2, and even bcrypt.

Ars uses phpBB, which uses the Openwall PHPass password hashing algorithm, designed by none other than the venerable Solar Designer himself. PHPass uses salted and iterated MD5 to hash passwords. It is similar to md5crypt with some key differences, and even similar to PBKDF2 to some extent. And while it may not be the best choice for password hashing, it is a solid one.

To see just how solid PHPass is, let's look back at another famous breach which used PHPass: Forbes. Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

Now as the keen Ars reader will recall, normally us professional password crackers can get a public dump 85-95% cracked within a rather short period of time. And indeed, the 227 passwords that weren't hashed with PHPass were 100% cracked in just a few short minutes. But after 10 months, we currently only have the Forbes PHPass hashes 16.19% cracked. Yes, you read that correctly. We've only managed to crack 173,548 -- or 16.19% -- of the Forbes passwords, and most of those were Top 20K passwords.

If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

So obviously PHPass is pretty good at what it does, and Ars has done absolutely nothing wrong by using this algorithm. It is perfectly suitable for what this site is. I've said before that password hashing is like an insurance policy, and Ars has bought you ample time to change your passwords.

And that's the way it is.

Ha, when I read this, I immediately thought of:
Hi! I'm Troy McClure, you may remember me from such films as...

 

[Ilikebundy99]

won't let me change my password, just comes up and says "You did not enter a confirm e-mail address" even though i am not trying to change email addresses. i even tried changing to an alt account but it still comes up with the same error.

Edit:

Nevermind, i found the link posted earlier in the thread and it worked.

 

[IagoRubio]

gmerrick[/url]":33x16ar0]

cheriff[/url]":33x16ar0]When the article states that payment info was not compromised, does that mean for sure nothing at all?

On the account settings page I see my credit card type and last 4 digits being displayed to me. Not that this is any great secret in and of itself, but I'd still appreciate knowing whether this redacted payment info is in the same database as the possibly compromised one.

At the very least I know which statement to keep a closer eye on, just in case.

unless I am mistaken PCI regulations forbid vendors from storing this information in the first place. The only time you should be entering your CC info is when you pay for something online. After the fact, the vendor should not be keeping that information.

I am sorry to say you are mistaken.

PCI just makes mandatory some policies and security measures on the machines that store that information - PAN - and its network.

If you don't store any of that information - PAN, type, holder name, expiration - you are required to submit less policies and you will get away just whit the requirements of PCI DSS SAQ type D. That just means that you are flagged as a "merchant" and you will have to submit and accomplish with somewhat softer rules https://www.pcisecuritystandards.org/smb/ https://www.pcisecuritystandards.org/do ... rchant.pdf .

What you cannot store is the PIN, the contents of the magnetic stripe or the CAV2, CVC2, CVV2 or CID .

Showing the last four digits is called "Truncation" and it's allowed by PCI.

More info about PCI and card data here https://www.pcisecuritystandards.org/pd ... torage.pdf

So Ars can be doing what is doing and stay in full compliance with PCI security standard.

 

[JademusSreg]

Enjoyed the technical detail provided by epixoip quite a bit, would very much appreciate similarly in-depth yet casually nuanced expert appendices, perhaps as a more permanent feature. Either way, though, warms my core with a reverential tingle when promoted comments reveal the breadth of Ars and its readership.

Regarding the tangent-topic eulogizing today's fallen passwords, manager-generated strings are nice, but sometimes one needs a pass which is both strong and easy to recall. Given the advance of dictionary attacks (and its myriad combinatorial offspring), I personally prefer to use absurdly loquacious pass-phrases which enjoy the benefit of mneumonic technique by virtue of their humor.

As an example, if one takes that last clause and runs it through the zxcvbn password evaluation demo from Dropbox's tech blog, its analysis claims the phrase (I personally prefer to use absurdly loquacious pass-phrases which enjoy the benefit of mneumonic technique by virtue of their humor.) yields an estimated crack time of around 2.9·10¹⁰⁰ years and contains about 372 bits entropy. Of course, this requires a given service effectively permits arbitrarily long passwords and, while most don't, fortunately those services' account which one might need to access under any|every circumstance (email, cloud storage, pass-managers) tend to set the char-bar rather high.

 

[Deleted member 192806]

IagoRubio[/url]":q3wi5vis]Damn it, I had to change my unique-for-ars beloved password UY766UYHKI88/UI2312%& ... now I will have to choose a new random password I will never be able to remember.

Damned hackers.

OTOH, have not read all comments of course so excuse me if somewhere there have been an update on this, are there any news on how the cracker got access ?

Broke a window* and climbed in.

*No, not THAT kind of Window.

 

[geniekid]

I was so engrossed in reading some of the excellent comments here I almost forgot to actually change my password.

 

[weathertop]

Damage minimal anyway, LastPass had a unique password for Ars, changed to an even more unique and longer password. Worst case scenario and they some how hack the email I have setup here, they get my spam and junk mail. Oh booo hooo.

Ah, the ubiquitous hacker: someone who is both fairly intelligent, incredibly stupid, and most likely alone in the world. Every single "leet haxor" i've ever met face to face has always been a pretty pathetic human being, desperate to amount to something since the rest of their lifes attempts at success fall short.

 

[giantbee]

The clear timely heads-up is what I'd expect from Ars.

Luckily, due to Dan Goodin's excellent articles on this site, I (and hopefully many others) were using long ugly line-noise random passwords, with no bearing on any other credentials. I have just generated a new one, and changed my password.

Good luck with the clean up, take care..

 

[Marcos2247]

Bertie Wooster[/url]":3eknvrur]

Marcos2247[/url]":3eknvrur]

logic_88[/url]":3eknvrur]

dillweed81[/url]":3eknvrur]
A 12-character password will still end up being pretty strong, unless it's just a dictionary word or multiple dictionary words or some easy permutation of either of those. You'll likely find that even on a tech site like Ars, though, a great deal many people will have passwords that are 8 or fewer characters long.

Does it matter if I use a strong password or not for Ars?

Aside from an email address, I don't have any personal information stored here.

I don't care either.

I use this username only on Ars. The password I reuse everywhere. The e-mail address was a trashmail account that was valid for 10 minutes.

Could not care less.

I am not an expert, but what you do does not seem a very good idea. Using the same password but unique IDs for each site seems weird: If a hacker someohow got your password from a site, then they would simply add that password to their dictionary (or whatever they call it) and use that for the databases of other sites (as your ID there is either stored in plain text, or available as a screen name or something_). Am I missing something?

I'm only using that approach for accounts of low priority. I don't care if somebody "hacks" my Ars account. Or any other forum account for that matter. If someone does, I'll return as Marcos2248 and wouldn't mind one bit.

Should I became more involved, interact with people on a personal level, enter personal information anywhere (e.g. become a subscriber), I would of course move to a long passphrase.

Using different IDs has the benefit of anonymisation. About 15 years ago or so I used one ID across multiple sites and while on each site I only spilled few personal details, a friend of mine was able to identify me. Scared me a little.

I also used a central throwaway mail address until 2004. Hotmail, like so many at the time. Once again, somebody was able to semi-identify me through that address. This time not a friendly. Scared me a lot.

Since then, it's unique usernames and trash-email-addresses only for forum accounts and the like.
I reuse one password for all of them for convenience.

 

[Resolute]

I'm sure it has been said a few times in the last 300 comments, but if you use the same password/email combination on other sites (particularly financial, social media, etc.) it would be a good idea to change those passwords too.

 

[Katana314]

Man, I'm glad that coincidentially, I don't use this password on any other site.

I do actually use one relatively simple, easy to remember password for a bunch of forums and low-impact sites. I'd be kind of upset if I lost that...but by now, I should probably assume it's been cracked somewhere.

 

[bglick4]

adfad666[/url]":14ipxx2w]My password was dMSXQmpTRfsN3h5HHvEY and I only know that because I just looked it up in Chrome's password manager.

Now that I've set a new one I can safely forget it again.

Ah ha! Now that I know the pattern you use for your passwords I can crack them all! You're just using your cat's name.

 

[bglick4]

BobCov[/url]":2i4wu673]I absolutely love it when somebody who absolutely knows what he's talking about walks all over those who think they do and just shuts them down with the facts. Excellent MD5 schooling session.

I'm sure others share this sentiment, but again this is part of what makes Ars so great. I can get reasonable tech stories on many sites, but the expert commenters here on a wide array of topics is what really sets this site apart.

 

[bglick4]

I, for one, have no intention of changing my password. Now, I have a plausible excuse every time I post something stupid because I don't carefully RTFA. "It wasn't me, it must have been the hacker."

 

[Deleted member 192806]

bglick4[/url]":1eh3z283]

BobCov[/url]":1eh3z283]I absolutely love it when somebody who absolutely knows what he's talking about walks all over those who think they do and just shuts them down with the facts. Excellent MD5 schooling session.

I'm sure others share this sentiment, but again this is part of what makes Ars so great. I can get reasonable tech stories on many sites, but the expert commenters here on a wide array of topics is what really sets this site apart.

True, and you'll see more of that diving into some of the forums.

 

[DavidCB]

Is it helpful to tell the world -- and the hackers in the process -- that you use exactly 2048 iterations of MD5? ANY information that helps someone know how they're scrambled is a crib towards a solution.

 

[Xiee]

Oh so ars uses phpbb? Hmmm... interesting~

 

[Deleted member 441963]

Xiee[/url]":2ncosap0]Oh so ars uses phpbb? Hmmm... interesting~

Can I point you to the footer dangling below the forum-pages?