Security Update

Jul 10, 2011, 11:27 pm
#1
Joined: Dec 2, 2007
Location: New Attnam
Interests: bananas
Posts: 2,309
As I explained briefly earlier, the reason the hacker was able to retrieve some people's passwords was that they were encrypted using MD5 (because phpBB, the old forum software, also used it), which is susceptible to rainbow table attacks.

We're now using a much stronger encryption algorithm (SHA1 + a unique salt, looped multiple times).

I can now 99.9999999% guarantee that even if somebody were to get access to both the encrypted passwords and our unique salt, there is no way they could convert them into the unencrypted original values.

So, go change your password, esp. if you were on the list of people targeted earlier. After you change it you'll have to log in again.

The forum isn't safe yet, but I promise your passwords are.
Jul 11, 2011, 3:10 am
#2
Joined: Dec 4, 2007
Occupation: Perfect Soldier
Location: Astragius Galaxy
Interests: Fiana, Peace, Melons
Posts: 1,057
Well, thanks Cap.
Proudly bringing disaster and mental scarring to Attnam since '05!

"You have a rather pleasant chat about finite superarmpits with Sanae the shrine maiden."

You hear distant shuffling.

The Enner Beast tells you to COOL IT!!
Jul 11, 2011, 8:29 am
#3
Joined: Dec 3, 2007
Occupation: Chaos Weaver
Location: Standing between all life and death
Posts: 2,898
Indeed. Much appreciated.
Uchuudonge wrote
creating stable chaos
making patterns where there should be none
sewing order into the chaos
you spit in the face of random numbers, of chaos
Jul 11, 2011, 2:15 pm
#4
Joined: Nov 22, 2008
Interests: IVAN
Posts: 1,170
Thanks!
Beware! 'tis EagleV, Hardcore Weaver of Baskets!
Jul 11, 2011, 2:32 pm
#5
Joined: Jul 6, 2011
Posts: 7
Thanks very much for the update and for fixing it!
Jul 19, 2011, 8:27 am
#6
Joined: Dec 2, 2007
Location: New Attnam
Interests: bananas
Posts: 2,309
Another update - some of you might have noticed we had another white-hat hacker. The problem was that some of my code allowed for SQL injection, which is a really simple problem to fix, but something I hadn't taken the time to clean up yet. Again, this is the result of having years-old code, and I knew the problem was there but I figured with custom code we'd be safe until I finished rewriting the entire site. Stupid mistake.

Well, unlike the other one, this guy was actually helpful since he created an account and I was able to email him. He double checked the loophole he had found earlier and said it was fixed. Of course I won't feel completely comfortable until I'm done rewriting the code, but for now, at least the easy ways in are closed.

And now we just have to figure out why everything always seems to break with BDR...
Jul 19, 2011, 11:41 pm
#7
Joined: Dec 3, 2007
Occupation: Chaos Weaver
Location: Standing between all life and death
Posts: 2,898
Break Down Risk
Uchuudonge wrote
creating stable chaos
making patterns where there should be none
sewing order into the chaos
you spit in the face of random numbers, of chaos
Jul 27, 2011, 11:35 pm
#8
Joined: Dec 4, 2007
Occupation: Perfect Soldier
Location: Astragius Galaxy
Interests: Fiana, Peace, Melons
Posts: 1,057
Ahem...
Proudly bringing disaster and mental scarring to Attnam since '05!

"You have a rather pleasant chat about finite superarmpits with Sanae the shrine maiden."

You hear distant shuffling.

The Enner Beast tells you to COOL IT!!
Jump to