Ars was briefly hacked yesterday; here’s what we know

Readers, please change your passwords.

Read the whole story

 

[mehaase]

epixoip[/url]":ibp87v0u]But in no way should anyone draw the conclusion that PHPass is a poor password hashing algorithm, especially if your basis for that decision is "because MD5."

I'm learning a lot and this has been a fascinating conversation for me, but I don't know where you or your friend got the idea that my whole argument was "because MD5". Let me try grounding this in a practical attack:

1. The attacker has e-mails and hashes.
2. This is where you say, "who cares? the attacker can't brute force _all_ of the passwords because PHPass."
3. The attacker finds a high-value target e-mail. Umm, let's say Justin Bieber is a huge fan of Ars Technica.
4. Justin happens to have a 6 char password because he's an ordinary person, not a security freak like us.
5. Attacker brute forces Justin's password in 14 days or less. (Not 7 days or less as I originally guessed — my bad!)
6. This is where the "who cares? it's just a forum!" crowd chimes in.
7. Attacker tries same password on Justin's email account, which works because Justin is an ordinary person, not a security freak like us. (And the email provider also has a mystifying 6 character minimum, just like Ars.)
8. Profit.

I'm not "hung up" on any particular algorithm. Let's just say that there are several simple ways that Ars could have turned 14 days into 14 years (or more). If this was any other site, I'd shrug and say, "oh well." But Ars covers password cracking! I can't believe that you and your buddy fail to see the irony here.

Anyway, who cares... This breach doesn't affect me personally, and if other people can't be bothered to pick good passwords then they deserve what's coming. Right?

I'll stop arguing.

 

[somini]

mehaase[/url]":2slaf9ol]

epixoip[/url]":2slaf9ol]But in no way should anyone draw the conclusion that PHPass is a poor password hashing algorithm, especially if your basis for that decision is "because MD5."

I'm learning a lot and this has been a fascinating conversation for me, but I don't know where you or your friend got the idea that my whole argument was "because MD5". Let me try grounding this in a practical attack:

1. The attacker has e-mails and hashes.
2. This is where you say, "who cares? the attacker can't brute force _all_ of the passwords because PHPass."
3. The attacker finds a high-value target e-mail. Umm, let's say Justin Bieber is a huge fan of Ars Technica.
4. Justin happens to have a 6 char password because he's an ordinary person, not a security freak like us.
5. Attacker brute forces Justin's password in 14 days or less. (Not 7 days or less as I originally guessed — my bad!)
6. This is where the "who cares? it's just a forum!" crowd chimes in.
7. Attacker tries same password on Justin's email account, which works because Justin is an ordinary person, not a security freak like us. (And the email provider also has a mystifying 6 character minimum, just like Ars.)
8. Profit.

I'm not "hung up" on any particular algorithm. Let's just say that there are several simple ways that Ars could have turned 14 days into 14 years (or more). If this was any other site, I'd shrug and say, "oh well." But Ars covers password cracking! I can't believe that you and your buddy fail to see the irony here.

Anyway, who cares... This breach doesn't affect me personally, and if other people can't be bothered to pick good passwords then they deserve what's coming. Right?

I'll stop arguing.

Bieber, being a regular person, has a Gmail account, which has a 8 character minimum.

 

[Deleted member 441963]

mehaase[/url]":336b4htu]
3. The attacker finds a high-value target e-mail. Umm, let's say Justin Bieber is a huge fan of Ars Technica.

justin.bieber@hoîmail.com?

(The typo is deliberate to prevent the poor fan with that address from even bigger shitloads of spam and phising)

You can identify valuable targets based on their email address? Wow.

 

[Dark Steve]

mehaase[/url]":2t8qp7zd]3. The attacker finds a high-value target e-mail. Umm, let's say Justin Bieber is a huge fan of Ars Technica.
4. Justin happens to have a 6 char password because he's an ordinary person, not a security freak like us.

Any high-value target that reads Ars will be somebody like Bruce Schneier or somebody else that knows better than to use an easily crackable 6 character password. I mean, even an actor like Wil Weaton knows better than that. (Though maybe not an actor like Kirk Cameron...)

somini[/url]":2t8qp7zd]Bieber, being a regular person, has a Gmail account, which has a 8 character minimum.

I'm also stunned that both of you think of Justin Beiber as an "ordinary person"

 

[TheMerricat]

Dark Steve[/url]":3pc7d5u4]

mehaase[/url]":3pc7d5u4]3. The attacker finds a high-value target e-mail. Umm, let's say Justin Bieber is a huge fan of Ars Technica.
4. Justin happens to have a 6 char password because he's an ordinary person, not a security freak like us.

Any high-value target that reads Ars will be somebody like Bruce Schneier or somebody else that knows better than to use an easily crackable 6 character password. I mean, even an actor like Wil Weaton knows better than that. (Though maybe not an actor like Kirk Cameron...)

somini[/url]":3pc7d5u4]Bieber, being a regular person, has a Gmail account, which has a 8 character minimum.

I'm also stunned that both of you think of Justin Beiber as an "ordinary person"

More importantly I'm at a loss at what sort of security one would expect a news site forum, technically inclined or not, to employ. What sort of reasonable 'time to decrypt' is being expected here?

That ultra black hat hackers with a very expensive rig still needs 14 days for their targeted attack to pay off seems to me to be an extremely reasonable situation, especially given the intrusion was noticed and the users were notified almost immediately.

Seriously, if JB is hacked - it'll be highly unlikely that Ars will have proven to be the weakest link in the chain here.

 

[epixoip]

mehaase[/url]":1ox8homz]I'm not "hung up" on any particular algorithm. Let's just say that there are several simple ways that Ars could have turned 14 days into 14 years (or more). If this was any other site, I'd shrug and say, "oh well." But Ars covers password cracking! I can't believe that you and your buddy fail to see the irony here.

Password hashing can't do very much to help those who choose a stupid password, especially if you are only going after a single hash. Even with bcrypt at a cost of 2^8, you can still test ~110 million passwords a day on a single CPU, which is enough to run through rockyou.txt + best64.rule in about a week.

 

[Deleted member 441963]

TheMerricat[/url]":28t2v07n]
Seriously, if JB is hacked - it'll be highly unlikely that Ars will have proven to be the weakest link in the chain here.

Tinkerbell. Which is 10 characters, incidentally.

 

[sanpinn]

I sincerely appreciate you guys emailing me to let me know about the unfortunate hacking incidents. The prevalence of hacking in our world today is exactly why I won't purchase anything online; or do any banking online - but we're encouraged to do so! (wouldn't surprise me at all, if the bankers were behind that kind of hacking!)

In closing, thank you for notifying me so promptly.

 

[sanpinn]

I deem it appropriate to notify Ars Technica of an experience I just had within your site that seemed damned odd to me:

I wanted to change my User Name on your site, and when I clicked on your link that says "Set a customer user title" under Links on this page:
https://meincmagazine.com/services/profile/

I was delivered to a page that contained an image with text that said all of this:

"A technical issue has occurred on web05."

Below this heading appears a large black & white image of a planet with a
shark's head coming out of it; with the word "MOONSHARK" in dark pink
at the bottom of the planet. Below the image appears this text:

"Our servers have encountered a problem while delivering the page you requested. We
apologize for the inconvenience."
"If this is a really long outage, check out a cool site like reddit or TV Tropes to pass the
time."

The words "reddit" and "TV Tropes" were in red and linked.
At the very bottom of the page appears this text:
Ars Technica ©2012 Condé Nast Digital. All rights reserved.
-------------------------------------------------------------------------------------------------------------------

Considering your recent hacking incidents; it just seemed odd to me that arstechnica would refer their users to other websites.






https://meincmagazine.com/civis/ucp.php?i ... =signature

 

[Dark Steve]

sanpinn[/url]":fah6sp17]"A technical issue has occurred on web05."

When I try, I get "A technical issue has occurred on web08."

 

[Deleted member 441963]

sanpinn[/url]":i0opdx0n]
arstechnica would refer their users to other websites.

Sites from the same owner, Condé Nast Digital. Sites which actually are a nice waste of time while engineers reanimate web05. Assuming something was wrong with web05.

 

[Alan Gilbertson]

pythagoreanmetronome[/url]":11f000fw]My Windows 8.1 password to just log into the desktop is now this 11 character random string that I am always like WTF!!!! It's just annoying to use networked devices now.

Not to go too far off topic, but if anything pushes people toward weak passwords, it's mobile devices; especially as we move toward synchronized accounts across devices/platforms and we use our smartphones to access the web.

It's one thing using a regular computer keyboard to help navigate your many accounts, but it's hella rough typing a 10-12 random-character, secure pw on any smartphone. With the help of LastPass, I can tolerate it even if it is awkward, but I can see how a less educated consumer would be heavily motivated to keep their passwords as simple as possible, just so they could enter them easily on their phone.

This was heavily underscored recently when I got my first iOS device, an iPad Air 2. The number of times iOS wants you to enter your password makes Vista's UAC problems pale into total insignificance. The (superb) Zagg case helped, but not when I'm using the tablet as a tablet.

To reduce the annoyance (well, it reached "fury" very quickly, to be honest) to a barely tolerable level, I changed my Apple ID pw to something that was easier to type on a mobile device, as well as being one that I could memorize. Needless to say, it's a loss less random than the original. Touch ID on this device isn't a feature so much as a necessity, just so you don't have to type your password every time. I can't imagine using an iPad, far less an iOS phone, without it.

This experience has thoroughly convinced me that we do, in fact, need to come up with a secure alternative to userid/password combinations, if we are to have any hope at all of making a majority of users somewhat secure.

 

[pqr]

WpgGuy[/url]":ab6jzzka]On arm chair criticism, you guys are over-sensitive and it comes across as hypocrisy.

Seeing a journalist, reporter or columnist complain about arm chair critics is a bit like seeing police complain about arm chair critics.

These two groups of people earn their livings largely by second-guessing and arm chair critiquing what other people are doing, in both cases often doing under pressure.

Articles on politics, hardware, software, pretty much anything written by someone who isn't actually in the field doing it under commercial and organizational pressure themselves, its all arm chair criticism when its done by journalists, reporters or or columnists.

And that another thing, it is one thing to be able to create something in a slow paced simple academic setting, but in a commercial or government environment one has all these other factors that even individual researchers working in the field, but on their own, have no first hand expertise on.

If you can't your own handle arm chair critics you shouldn't be working for an outfit that earns most of its living by armchair critiquing others.

But we all do arm chair criticism. You do. We do.

Changing occupations from journalism to something else would merely mean doing less of it. You'd be an occasional amateur armchair critic rather than a full-time professional arm chair critic.

So lighten up.

You probably had an overdose of mainstream media. Yes, many journalists are like groupies there hanging out with the big boys hoping to pick up some scrap of wisdom they can then pass on. It is quite the opposite when it comes to Ars.

You immediately see this for their science articles - geology, biology, quantum optics, particle physics (I'm surely forgetting to mention some other areas too), evidently written by practitioners or ex-practitioners. Then there was this article from Peter Bright on Steam game statistics (copies sold, % owned, average hours played, etc) with all info scraped from Steam user pages (millions thousands of them, a subset only but upscaled later statistically in results). First of a kind revealing data. And very straightforward coding if you know what you're doing; I did such things before. Of course, the vast majority of people just can't, and I doubted Peter could either as he was "journalist". On top of it he kept referring to 'we' everywhere in the article. So I asked who were those uncredited guys helping him. As it turned out Peter originally wrote it all up with 'I' but the editors changed 'I' to 'we' everywhere. This was absolute shocker, he the "journalist" did it all! Until this I thought he was just well connected but this put all his past articles into new light. Eventually I had to google his background and guess what for years he worked at Microsoft*. Not on PR, mind you, but software engineering. So careful with your stereotypes here, check out the bio of the author. Chances are you'll see expertise in at least one relevant area.

* actually reminds me to hopefully learn some day (no rush) what made him switch to journalism

 

[MattM]

some people need to think about what it means to be technically possible but not practical

stop citing examples of crap that doesn't even work with this scenario

others need to realize that it's an array of over 2 thousand unique salts, so predefined hash tables don't work

 

[sraboy]

Rainbird[/url]":39mwxg0w]

sraboy[/url]":39mwxg0w]Maybe it's just me, but I'd appreciate it if a notice about the breach were posted at the top of the front page, or if I got an email.

You did get an e-mail.

No, I did not. My email address is correct and it wasn't caught up in Gmail's spam filter.

epixoip[/url]":39mwxg0w]

Rainbird[/url]":39mwxg0w]

sraboy[/url]":39mwxg0w]Maybe it's just me, but I'd appreciate it if a notice about the breach were posted at the top of the front page, or if I got an email.

You did get an e-mail.

And it was at the top of the page for a day and a half.

While I'm sure plenty of Ars readers get on here daily, I don't. I check it every few days usually. I'm not saying make it a major element with a giant photo but a little header above the top-story for a week would be nice for one of the top 2000 sites on the planet where 99.89% of site visitors go straight to the front page.

 

[Andara]

sraboy[/url]":3sq7veck]No, I did not. My email address is correct and it wasn't caught up in Gmail's spam filter.

Then you'd better check to see what's wrong with your email account, because they sent an email notification:

Ars Technica was hacked: Please change your password

Ars Technica via mail207.atl101.mcdlv.net
Dec 17 (2 days ago)

to andara

You are receiving this email because you may have - at some point - registered as a user on ArsTechnica.com. Our site was recently hacked.

Log files suggest that this intruder had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses cryptographically-protected passwords.

Out of an excess of caution, we strongly encourage all Ars readers — especially any who have reused their Ars passwords on other, more sensitive sites — to change their passwords today.

Read more about the incident here: http://meincmagazine.com/staff/2014/12/ar ... t-we-know/

Please login to Ars and update your password or use the "Forgot your password" form to change your password.

Settings page: https://meincmagazine.com/civis/ucp.php?i ... eg_details

Forgot your password? https://meincmagazine.com/civis/ucp.php?mode=sendpassword

We sincerely apologize for any inconvenience this has caused.

- Ars
==============================================
==============================================

Unsubscribe [email address redacted] from this list:
http://arstechnica.us1.list-manage.com/ ... a0d1991c65

 

[Zanthexter]

Honestly, I couldn't care less about the password. Once notified I changed it from the old 12 digit randomly generated one to a new, 24 digit, randomly generated one. (LastPass is great) Now I have a new password, 30 seconds later, I'm done, it's gone, ancient history. (Maybe Ars could work with LastPass, Roboform, etc; and such to automate password changes?)

What I do care about is my email address now being available to be spammed and phished. Possibly my other personal information was associated with my email address and taken as well, to be combined with stolen info from other sites, and a nice hacker/NSA database compiled. To me this is a MUCH bigger issue than a password that can be changed in 5 minutes because I can't ever get back that other information.

I get that there are a lot of "novice" users that reuse passwords across many sites, and for that reason passwords should be protected. But if all the other important information is there for the taking, who gives a damn about the passwords?

If you aren't protecting ALL of my data, you're doing it wrong!

 

[MattM]

Zanthexter[/url]":25dj885s](LastPass is great)

i keep hearing about this

what is this?

 

[schizomilkman]

> Umm, let's say Justin Bieber is a huge fan of Ars Technica.
The hackers wouldn't need to, Ars would have already doxxed him for their own gains ala Snowden.

 

[Jim Z]

MattM[/url]":zaxo5pyr]

Zanthexter[/url]":zaxo5pyr](LastPass is great)

i keep hearing about this

what is this?

viewtopic.php?p=28144949#p28144949

 

[ImpossiblyStupid]

Zanthexter[/url]":z1mx8pg4]What I do care about is my email address now being available to be spammed and phished. Possibly my other personal information was associated with my email address and taken as well, to be combined with stolen info from other sites, and a nice hacker/NSA database compiled. To me this is a MUCH bigger issue than a password that can be changed in 5 minutes because I can't ever get back that other information.

I keep hearing this, but none of you ever explain why you're just giving out the same, precious email address to every site you register with. Your ability to punch at "novice" users for their password habits ends where your email habits begin.

If you aren't protecting ALL of my data, you're doing it wrong!

It's your data, so you also should take some personal responsibility for safeguarding it whenever possible. For email, that means using something like a disposable address for web site registrations. Those of us who did that with Ars will *know* if spammers ever start using those email addresses; no premature offense necessary.

 

[404]

[trollhide]

Jim Z[/url]":3ln8d19v]

404[/url]":3ln8d19v]Between this and Ars manufactured gamergate garbage which has lead to nothing more than racism and bigotry against minority gamers in favor of a female oppression false flag. All i want to know is, How do i delete my account from this cesspool?

1) you can't.
2) leave anyway, please.

Trust me. I have no intention of staying in a place where reporters and even the founder of this shit stain grossly fabricates stories and then turn a blind eye when when their own supporters spew racist remarks at gamers.

Thanks for showing you are one of them and a special thanks to the bigots Orland, Johnston and Fisher for the racial harassment campaign. It's such a shame they don't even have enough common sense to realize the movement they helped fabricate has not only hurt minority males in gaming but is also oppressed females of color.

Here's a taste of just some of the tame shit spewed thanks to Orland and Fisher's scheme.

[/trollhide]

 

[sraboy]

Andara[/url]":3s37d3fz]

sraboy[/url]":3s37d3fz]No, I did not. My email address is correct and it wasn't caught up in Gmail's spam filter.

Then you'd better check to see what's wrong with your email account, because they sent an email notification:

Ars Technica was hacked: Please change your password

Ars Technica via mail207.atl101.mcdlv.net
Dec 17 (2 days ago)

to andara

You are receiving this email because you may have - at some point - registered as a user on ArsTechnica.com. Our site was recently hacked.

Log files suggest that this intruder had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses cryptographically-protected passwords.

Out of an excess of caution, we strongly encourage all Ars readers — especially any who have reused their Ars passwords on other, more sensitive sites — to change their passwords today.

Read more about the incident here: http://meincmagazine.com/staff/2014/12/ar ... t-we-know/

Please login to Ars and update your password or use the "Forgot your password" form to change your password.

Settings page: https://meincmagazine.com/civis/ucp.php?i ... eg_details

Forgot your password? https://meincmagazine.com/civis/ucp.php?mode=sendpassword

We sincerely apologize for any inconvenience this has caused.

- Ars
==============================================
==============================================

Unsubscribe [email address redacted] from this list:
http://arstechnica.us1.list-manage.com/ ... a0d1991c65

Yeah, still nothing. It's Gmail, plain old standard web-interface Gmail. No filters or anything other than the defaults. The only thing I can think of is that I've opted out of Ars emails but I've never seen an opt-out apply to security issues, plus I still get all these topic replies from the forums so it's not a domain-wide opt-out.

 

[404]

[trollhide=Arguing moderation in-thread]Calling reporters out on the racist movement they created is now considered trolling. That's a new one.[/trollhide]

 

[TheFu]

a) don't use the same password anywhere online. Always unique per login.
b) if you can, use a unique login for every online identity. No need to let anyone connect-the-dots or get a hint about your email login from a blog website. This is more important for logins to financial services.
c) if you can, use a unique email address for all identities. These do not need to be anything more than email aliases, since receiving email and redirecting it to a real account is easy. Ne need to support "send". Definitely have a few different email addresses - 1 for social stuff online and a different 1 or 10 for financial stuff. If you social email gets hacked, that shouldn't impact your financial email account at all.
d) Always lie on security questions. Don't tell the truth. Keep the answers inside your password manager.

If we do these things, no need to panic over having the Ars password db out there. Even if it were leaked as plain text, I wouldn't care. It doesn't matter. Ars doesn't know my real email address or a password used anywhere else.

Prefer F/LOSS security tools over commercial offers. Historically, commercial security vendors have mislead their users or just lied. keepass and keepassx. The source code is available for download and review by anyone. Security of the tool is not through anything hidden, just good encryption which currently cannot be broken when normal best-practices are used. KeepassX is amazing.

 

[foxyshadis]

I was just on another website changing some information, when I saw something that really hit me: The real problem isn't passwords, or emails, it's security questions. Not related to the Ars breach, but on websites that have questions, your private life and your security on any other site that uses them can be instantly breached, with no need to reverse any hashes at all. That's where people should be directing their concern and ire, not over the particulars of strength of a fairly secure password hash on a small site -- in the wake of previous breaches that led to millions of password releases already.

I'm not even remotely worried about my Ars password. I changed most everything to a random per-site pass after the Gawker hack (I admit that one woke me up, when I saw my old "throwaway" password in there), and changed everything again to something even stronger after the Adobe breach, but at this point I don't feel there's any point in doing so. By the time they crack my password, I'll have changed it anyway as part of my every-few-years updates, as if anyone wants this account anyway.

 

[JTD121]

pythagoreanmetronome[/url]":uuvjy1ol]Good lord. This year alone I have had all of my debit cards/credit cards canceled and resent to me by my bank TWICE because of Target and Home Depot, which of course has required that I type in new numbers into tons of various websites and payments... online bills, google play, Ventra for Public Transportation, Digital Ocean, AWS etc etc... and this whole password thing. Ars isn't the only one. I use Last Pass now and even that has turned into such a hassle because any app I want to use on my phone or tablet requires at least two steps of authentication IF the lastpass password is actually synced. My Windows 8.1 password to just log into the desktop is now this 11 character random string that I am always like WTF!!!! It's just annoying to use networked devices now.

What can you do? The internet seemed like a good idea there for about 3 weeks in 1994 and after that it has been a steady stream of disgusting porn, trolls, hacks and a thousand little inconveniences. I am about to go unibomber on this shit.

I kid. Thanks for letting me know. Luckily after the whole Ars thread about how the Dred Pirate Roberts had his silkroad passwords set to his cat's name I learned that I should always have TWO cats and kill one on monthly basis. So I am pretty sure I am hack proof on this one. I just got a new kitten last weekend and his name is id_rsa.pub. Hack THAT! Wait. Crap.

The CC/debit cards being replaced is just one of those things.

Also, you could look into stuff like YubiKeys so you don't really have to remember anything. You can use them to authenticate with LastPass, among other password managers; set it up so you need it to login to your computer(s); with the one linked, you can use NFC to unlock on mobile devices, too!

 

[Deleted member 192806]

foxyshadis[/url]":3gsgjaja]I was just on another website changing some information, when I saw something that really hit me: The real problem isn't passwords, or emails, it's security questions. Not related to the Ars breach, but on websites that have questions, your private life and your security on any other site that uses them can be instantly breached, with no need to reverse any hashes at all. That's where people should be directing their concern and ire, not over the particulars of strength of a fairly secure password hash on a small site -- in the wake of previous breaches that led to millions of password releases already.

I'm not even remotely worried about my Ars password. I changed most everything to a random per-site pass after the Gawker hack (I admit that one woke me up, when I saw my old "throwaway" password in there), and changed everything again to something even stronger after the Adobe breach, but at this point I don't feel there's any point in doing so. By the time they crack my password, I'll have changed it anyway as part of my every-few-years updates, as if anyone wants this account anyway.

That's why someone suggested giving made-up answers to those questions, and keeping track of the answers in the password manager. Most managers have the notion of secure notes.

 

[leexgxreal]

hmm no matter you can't use HTTPs only on this site it brakes the site lol (voting and my stories fails)

 

[DKlimax]

404[/url]":7x717s6s]Calling reporters out on the racist movement they created is now considered trolling. That's a new one.

It is off topic regardless of validity.

 

[Paddleless]

sraboy[/url]":1tgkvxyx]

Andara[/url]":1tgkvxyx]

sraboy[/url]":1tgkvxyx]No, I did not. My email address is correct and it wasn't caught up in Gmail's spam filter.

Then you'd better check to see what's wrong with your email account, because they sent an email notification:

Ars Technica was hacked: Please change your password

Ars Technica via mail207.atl101.mcdlv.net
Dec 17 (2 days ago)

to andara

You are receiving this email because you may have - at some point - registered as a user on ArsTechnica.com. Our site was recently hacked.

Log files suggest that this intruder had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses cryptographically-protected passwords.

Out of an excess of caution, we strongly encourage all Ars readers — especially any who have reused their Ars passwords on other, more sensitive sites — to change their passwords today.

Read more about the incident here: http://meincmagazine.com/staff/2014/12/ar ... t-we-know/

Please login to Ars and update your password or use the "Forgot your password" form to change your password.

Settings page: https://meincmagazine.com/civis/ucp.php?i ... eg_details

Forgot your password? https://meincmagazine.com/civis/ucp.php?mode=sendpassword

We sincerely apologize for any inconvenience this has caused.

- Ars
==============================================
==============================================

Unsubscribe [email address redacted] from this list:
http://arstechnica.us1.list-manage.com/ ... a0d1991c65

Yeah, still nothing. It's Gmail, plain old standard web-interface Gmail. No filters or anything other than the defaults. The only thing I can think of is that I've opted out of Ars emails but I've never seen an opt-out apply to security issues, plus I still get all these topic replies from the forums so it's not a domain-wide opt-out.

I'm opted out of Ars emails too, but I received a notification for this. No idea why you didn't get one.

 

[Meathim]

I saw this today (dec 21) cause Google picked up the alert mail as spam. It happens pretty often, I think they can dial back the spam filter just a bit...

 

[Xylon]

I may be odd, but I enjoy when a place I have an account gets (non-personal info like this) breached. I get to hope some hacker is OCD enough to spend time trying to crack my (in this case) 29 character upper/lower/numeric/special password. It's been changed by the way, and I made it longer for good measure.

Now if my password manager is ever breached that will suck ...

BTW - Thanks for supporting crazy long & complex passwords.

 

[stevesether]

@epixoip

I think your defense of MD5 as a password hashing mechanism are a bit strong. MD5 has been "broken", in that trivial collisions have been found with a very small complexity and minimal processing power.

AFAIK you're correct that the break doesn't apply to iterating MD5 multiple times, but you should also know that once an algorithm is broken the attacks against it tend to get much better over time. This has happened time and time again against encryption algorithms, and I don't see any reason why it couldn't happen with multiple iterations of MD5.

I also think you're being rather disrespectful of other peoples opinions on the matter (i.e. "armchair experts"). I don't have any sort of reputation as a "professional password cracker", but ultimately what matters is the facts and what's exploitable, not bona-fides. Security is complex. "Best practices" differ, and there's often far less experimental evidence to back up opinions than there are in other disciplines. So I believe that a wide variety of opinions are quite valid on security matters, not simply a narrow spectrum.

Ars did an OK job with salting passwords, and using multiple iterations, and has done much better than many other companies that didn't even bother to salt. But in 2014 think it's entirely reasonable for people to expect that MD5 isn't used as a password hashing algorithm anymore. MD5 had some reasonable sized problems discovered way back in 1996, and the attacks have only gotten worse since then.

 

[Deleted member 441963]

stevesether[/url]":3kph6tz6]@epixoip

I think your defense of MD5 as a password hashing mechanism are a bit strong. MD5 has been "broken", in that trivial collisions have been found with a very small complexity and minimal processing power.

Finding a specific collision takes 11 hours computing on a fairly big cluster. Brute forceing a single unsalted password takes 11 hours.

Guess my email-address, whip out your CC, and in 11 hours you could be me. Except for that nasty salt. I'm not a cryptographic expert, but as I understand it the 2048 times rehashing means you need 2048 times 11 hours. Can we continue this conversation on Jul 18th, 2017?

(Yes, brute forcing is your only option. My password isn't in any dictionary.)

epixoip: correct me if I'm wrong..

 

[epixoip]

Once again: the cryptographic weaknesses of MD5 have nothing to do with why it is a poor choice for password hashing. The fact that MD5 is cryptographically broken is irrelevant when talking about password hashing. Unless the algorithm is horribly, horribly broken (e.g., Office97 (MD5 truncated to 40 bits), XSHA1 (not to be confused with SHA1), and MySQL 323) you're not going to find an arbitrary collision for a short input. What makes MD5 a poor choice for password hashing is the fact that it is a very fast algorithm that is quite amenable to acceleration. Iterating and salting MD5 mitigates that. There is nothing wrong with basing a KDF or password hashing function on MD5, and there are very specific and valid reasons why Solar Designer chose to use MD5 in PHPass.

 

[The Master]

Ohh shit! I still haven't changed my password.. I hope I don't catch a malware or something.. lol

 

[cpragman]

ARS, Any updates on the Hack? Details, etc.?