Are we exposed?

[Tampa8]

Holy crap... here are the new AVS Password requirements.... (Which does NOTHING to fix the vBulletin security issues)

Must be at least 10 characters

Must contain lower-case characters

Must contain upper-case characters

Must contain numbers

Must contain symbols

10 characters? Come on folks its a forum not a bank.

My gripe is the stupidity of the people running the sites. Not exactly that they got hacked though it sounds like they were ripe for the picking. Requiring a 10 character password with the stipulations does nada, nothing at all to help prevent what happened. None of usernames/passwords were initially hacked, the system was hacked. If the system is hacked again our new passwords will again be vulnerable. Will they then require a 20 character password? I decided to call it quits to almost all the sites, just not worth the hassle just so I can post. My loss but overall not that big a loss. I may keep AVSforum.

 

[king3pj]

I have been using last passs since reading about this. I bought the $12 per year subscription so I can sync my passwords on all my devices. I wasn't directly affected by this but it was a good incentive for me to finally break the habit of using the same simple password at every website. So far I'm very happy with last pass.

 

[Scott Greczkowski]

Just watch out, Last pass was hacked too.

http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

 

[thomasjk]

That report is a year old. The issue is easily remedied by changing the master password which I did when I saw that article.

 

[harshness]

If the system is hacked again our new passwords will again be vulnerable.

The idea is that the new passwords will be different for each site so the compromise won't extend any further than the systems that were compromised. This could be enforced by making the password requirements different for various sites.

Complicated passwords is surely a better solution than forcing everyone to use two-factor authentication.

 

[harshness]

That report is a year old. The issue is easily remedied by changing the master password which I did when I saw that article.

Of course you have to be informed about the compromise to remedy the problem. When a few of the major "wallet" or "passport" schemes have been compromised, the providers have not exactly been Johnny-on-the-spot about informing users. Microsoft's original Passport breach had been documented on a magazine website or two before Microsoft took the service offline.

Microsoft's implementation of Kerberos was also bugged at one point; not directly exposing sensitive data, but having flaws that would allow privilege elevation that might allow one easier access to same (especially SQL Server databases that allow the use of Windows admin credentials for access).

A password program with its own database is cheap and a move in the right direction to complex and varying passwords and if the program is any good, it can easily generate passwords that meet all the complicated criteria that forum operators can come up with.

 

[king3pj]

Also from what I read the passwords are encrypted so they have to have access to your master password in order to view the rest of them. I'm not sure if that is the truth or if it's LastPass's marketing spin.

I'm also using their mobile authentication app for 2 factor verification. Even if someone figured out my master password they would have to get past that in order to see my passwords. Everything has worked really smoothly for me so far and I'm able to easily enter all my passwords and generate new ones whether I'm on my iPhone, iPad, or various computers with the Firefox extension. The $12 per year premium option seems to be well worth it just for the ability to have everything automatically synced on all my devices.

 

[harshness]

I'm also using their mobile authentication app for 2 factor verification. Even if someone figured out my master password they would have to get past that in order to see my passwords.

Once you have a table of data to work with, the only other tool you need is time. Even the most complicated password creation schemes will eventually fall to a brute force attack and the amount of computing power that many have access to now can plow through thousands of passwords per second.

 

[king3pj]

Once you have a table of data to work with, the only other tool you need is time. Even the most complicated password creation schemes will eventually fall to a brute force attack and the amount of computing power that many have access to now can plow through thousands of passwords per second.

I don't doubt that. I'm not sure anything connected to the internet is ever completely secure. Also, it's not like any of my stuff is secret government classified level of importance. It would suck to have an account hacked but it wouldn't be the end of the world.

It does seem like the attempt limit most of the more high value sites use would prevent brute force attacks on an individual account though. I know that my bank accounts, iCloud, and other things I use only allow you 3-5 incorrect password attempts before either locking the account down for a set period of time or forcing a password reset that requires access to the email address on file.

With the complex passwords LastPass and other password managers create it seems like it would be tough to randomly figure out these passwords before hitting the incorrect attempt limit. I'm not saying they wouldn't get in eventually if they really wanted but I'm guessing most hackers would move on to the next target instead of wasting time trying to get into my accounts. I'm no security expert though and I'm sure there is more to this that I don't understand.

 

[harshness]

It does seem like the attempt limit most of the more high value sites use would prevent brute force attacks on an individual account though.

The issue here is that the raw user database data was obtained so there's no limit on how many whacks the cracking software can take at the password.

Hacking passwords using a conventional login is typically doomed to failure for the reasons you state.

Additionally, with a database that stores many sites, it can easily be ascertained whether a user typically uses the same ID and password and those are the most logical candidates to pursue.

 

[Willh699]

On the topic of AVSforums, there parent company is Vertical Scope and they were hacked completely, it wasn't just isolated to just AVSforums, all of the VS owned forums, which included one i am a member of, wrestlingforum.com

So yes, they were not secured and got hacked.


Sent from my RCT6773W22B using Tapatalk

 

[TheKrell]

it wasn't just isolated to just AVSforums,

Yup; I had this new password reset on my http://300cforums.com as well. I saw no explanation or warning from them either; just the email.

 

[harshness]

So yes, they were not secured and got hacked.

As I noted in post #17, I wouldn't be so sure that all 600 properties were sharing the same database. Some forums only support certain database engines. For example, XenForo only supports MySQL while the Discourse forum software only supports PostgreSQL.

Recommending strong and unique passwords is always good practice.

 

[Scott Greczkowski]

Recommending strong and unique passwords is always good practice.

Sure it is, but again strong passwords from the members would not have stopped this data breach that they had. Users passwords had NOTHING to do with it.

 

[king3pj]

Sure it is, but again strong passwords from the members would not have stopped this data breach that they had. Users passwords had NOTHING to do with it.

I think they do in some sense. Maybe I'm wrong but weren't user names and passwords stolen in this breach? If so there are plenty of people who use the same user name and password on every website. I was one of those people until just a couple weeks ago. That means that if they stole my user name and password from one site they would have my user name and password for every site.

I think this is the reason strong and unique passwords are recommended. Now that I'm using LastPass to generate strong and unique passwords if I had my account info stolen from AVSForum that is the only account info they would get. They wouldn't also get my bank accounts and that kind of thing.

 

[harshness]

Sure it is, but again strong passwords from the members would not have stopped this data breach that they had. Users passwords had NOTHING to do with it.

I think the hope is that people will start using applications to create unique passwords if strong passwords with varying criteria are required.

With my current logins on various forums and businesses, there is no one password that will satisfy them all and that's the ultimate goal.

 

[harshness]

They wouldn't also get my bank accounts and that kind of thing.

If your bank isn't using two-factor authentication (possibly including a browser cookie), you probably need to find a new bank.