well if it's happened to a number of websites then why didn't you make the password storage more secure. i'm sure you're doing your best, you guys work hard, i'm just pretty annoyed.
Its pretty sloppy of web site owners and developers to rely on hashing paswords as some idea of security. Hashing is not encryption and the site should have used proper encryption in the first place instead of something that many websotes can decode for you in a minute or two.
Sloppy sloppy sloppy to risk members passwords like that
Hashing is the way in which pretty much all passwords are stored, you cannot de-hash a password unless you use either a bruteforce attempt or a dictionary based attack. You could argue its more secure than encryption, because with encrypted data all they need is the private key then they have ALL OF THE DATA.
Hashing is a very common method of storing passwords, and it's not as easy to crack as you are suggesting. It's specifically designed to not be decrypted, and indeed can't be. To the best of my knowledge the only way to crack a password which is hashed using md5 is via a brute force method.
Correct, although MD5 is very weak by modern standards, as its been about so long there are massive lists of precompiled hashes that can be used as a dictionary based attack (look up rainbow tables if you're interested).
How would we hear about it? Anyone who has had their information comprised would probably have no idea how.
These people who now have our information; they have thousands of emails and potentially passwords so it'll take a long time to decode it if they want to make any use of it. The e-mails alone don't provide much to them.
They may be opportunists but now they have the information they can do as they please. With us now knowing we can try to make most of that information defunct by changing our passwords but a lot of people won't or might forget to change it on one or two websites.
I meant that we'd know if someone gained access to our bank account/paypal account and stole some money (for instance). We haven't heard of any such horror stories - yet. It probably means one of two things is true. Either 1) the hacker hasn't been able to/tried to actually brute force the passwords, or 2) he has and hasn't done anything with them. In either case changing all passwords now will render what information the hacker has as being pretty useless. It doesn't matter whether people know for certain if their information has been compromised or not, the only thing that really matters now is changing all your details so that if you have been compromised then you are secure again.
As already discussed above, it won't take a while to brute force the hashed passwords that were stored on TSR if the hacker chose to. We're not talking weeks or anything if the hacker knows what they're doing.
I'm not disputing what the hackers might be able to do if they have your password. Not sure how you seem to have picked up that I have suggested this isn't a dangerous scenario?
Correct, although MD5 is very weak by modern standards, as its been about so long there are massive lists of precompiled hashes that can be used as a dictionary based attack (look up rainbow tables if you're interested).
Agreed, although these rainbow tables are useless if you use a long and random salt with each password.
Before I start, I'd just like to say I know how much of a disaster and headache this must be for the TSR team.
Anyway, on the TSR blog you say this:
Like a number of websites recently, The Student Room has been the victim of an attack by someone intent on capturing user data. The minute we found out we took every possible step to protect our members’ data and we are continuing to increase our security.
What confuses and annoys me is that TSR did not take 'every possible step to protect it's members data' when the number of other website were hacked. Why did TSR not jump into action after other websites (LinkedIn especially) was hacked?
You have thousands of members, which turns into thousands of email addresses and passwords, and you didn't bother to step up the security of the site in case you were hacked.
I'd like to know the answer to this, so please don't ignore it.
Before I start, I'd just like to say I know how much of a disaster and headache this must be for the TSR team.
Anyway, on the TSR blog you say this:
What confuses and annoys me is that TSR did not take 'every possible step to protect it's members data' when the number of other website were hacked. Why did TSR not jump into action after other websites (LinkedIn especially) was hacked?
You have thousands of members, which turns into thousands of email addresses and passwords, and you didn't bother to step up the security of the site in case you were hacked.
I'd like to know the answer to this, so please don't ignore it.
Hi there,
I thought I'd quickly respond - I can completely understand your frustration and we do take this situation incredibly seriously. In fact, TSR has always taken security incredibly seriously.
To clarify on one point, the actual security systems we have are very strong and they weren't hacked exactly. A single privileged user account was compromised, giving the individual access to do what they did.
As soon as we were notified, every privileged account and system password was changed immediately.
Unfortunately, if someone is intent on doing something like this we can't always predict how they will do it. We've learnt some tough lessons today and have already put in place even stronger processes and systems to protect our members. Thankfully, TSR doesn't store a great deal of personal information, so by updating a password people's data will be safe.
We are sorry this has happened and people have been working 24/7 to make sure it doesn't happen again. We'll keep you all updated on progress and news as it happens.
I thought I'd quickly respond - I can completely understand your frustration and we do take this situation incredibly seriously. In fact, TSR has always taken security incredibly seriously.
To clarify on one point, the actual security systems we have are very strong and they weren't hacked exactly. A single privileged user account was compromised, giving the individual access to do what they did.
As soon as we were notified, every privileged account and system password was changed immediately.
Unfortunately, if someone is intent on doing something like this we can't always predict how they will do it. We've learnt some tough lessons today and have already put in place even stronger processes and systems to protect our members. Thankfully, TSR doesn't store a great deal of personal information, so by updating a password people's data will be safe.
We are sorry this has happened and people have been working 24/7 to make sure it doesn't happen again. We'll keep you all updated on progress and news as it happens.
Jack
Thanks for replying
What security measures do you have in place to protect these privileged accounts (before this happened)?
What security measures do you have in place to protect these privileged accounts (before this happened)?
To be honest, I'd prefer not to go into detail with them for now because it's better not to share our security measures in a public way. In a few days we'll be able to explain more.
To be honest, I'd prefer not to go into detail with them for now because it's better not to share our security measures in a public way. In a few days we'll be able to explain more.
Okay, well I hope you did that basics, such as making them change their password monthly (At least), making sure their passwords are not real words and contain numbers and special characters etc.