old - Fazer Owners Club - old
General => General => Topic started by: Farjo on 29 August 2013, 11:26:51 pm
-
As far as I know, foc-u has not been hacked and no data has been stolen. This post is just a warning, a heads-up.
** Forum hacking has become more and more common. **
There's nothing bad about foc-u's security and we are probably not big enough to be a target. However we should have it in mind.
Therefore:
- Don't have the same password for foc-u as your banks (etc).
- Don't send personal information via PM. If you have done so then delete those PMs.
Please note that this is not related to getting spam postings, which you should continue to report using the 'Report to moderator' link.
-
Personally, I never post anything to the internet I have any intention of keeping private. I think the most personal stuff I've sent by PM has been my number and email. And my email's been hacked before now anyway.... :rolleyes
-
Just to confirm for anyone who took part in the Silicone hose group buy that I have deleted all your personal info from my PM's a long time ago. ;)
Chris
-
Thanks Farjo, deadeye was chatting to me about this sort of thing yesterday as he's a crook ;) , i mean an IT guru! :D
Ive now gone through all of my messages & deleted any sensitive data.surprising how much was there.
Actually ive also gone way back to my introduction & deleted it too as i told my life story on there.
Once deleted is there pretty much no way of hacking the info???, well unless you were GCHQ, but i take it you have like a bulk delete of deleted info or something?
We should prob keep this thread bumped & see if most of the forum can do some spring cleaning.
-
Once its deleted mate its gone. Well, that's how it works on the bulletin database anyway, smf may be slightly different.
-
Once its deleted mate its gone. Well, that's how it works on the bulletin database anyway, smf may be slightly different.
Cheers Mick
-
I use lastpass to create and manage random passwords. I can highly recommend it.
As for your bank logon mine is about 15 stages and requires blood and urine samples to get in to. So anyone that wants those has to have a screw loose.
I'd also recommend giving credit card details (verbally if possible) as the credit card company will reimburse you against fraudulent use.
-
Deleted all PM's that I have sent and received to keep peoples minds at rest. I always delete messages with personal details immediately.
Daz
-
Ol Jezza makes me laugh
http://news.bbc.co.uk/2/hi/7174760.stm (http://news.bbc.co.uk/2/hi/7174760.stm)
-
:rollin :rollin :rollin That man is priceless and a foc-u from his friendly fan who had to proof him a knob jockey on this occasion :lol
Daz
-
Would it be possible to put an expiration date on message? So say after two months they automatically get deleted.
-
Nice suggestion, however it would upset many people who keep useful information in their PMs.
-
I think he means an optional expiry date which you as the user can set on messages that you send. In any case, there is nothing to guarantee that the end user won't copy that data to some other place. The only guaranteed security is to not send sensitive information that could be compromising and lets not even talk about man-in-the-middle attacks...
-
Can the login passwords not be encrypted?
That's web security for dummies stuff!!
-
Can the login passwords not be encrypted?
That's web security for dummies stuff!!
This kinda stuff :-) http://stackoverflow.com/questions/5482437/md5-hashing-using-password-as-salt (http://stackoverflow.com/questions/5482437/md5-hashing-using-password-as-salt)
-
I'd be horrifically surprised if SMF didn't use MD5 as a minimum on the passwords. These days though, MD5 is beginning to show a weakness against the sheer processing power available in modern machines coupled with the use of Rainbow Tables (too large a topic to cover)
On most systems I work with I use SHA-1 as minimum but am often using SHA-256 now
-
I just whisper very quietly... :pc
-
Apparently bcrypt is the way forward but who knows.... I'm guessing security and mathematics experts. I.e. not me.
http://codahale.com/how-to-safely-store-a-password/ (http://codahale.com/how-to-safely-store-a-password/)
-
Can the login passwords not be encrypted?
That's web security for dummies stuff!!
Yes they're encrypted, however this is whar I've read elsewhere:
"Yes, they are encrypted. Unfortunately it's possible to brute force with about 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125 (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)"
-
I'm not sure if you have implemented this or not, but if not, you could add something that times users out after xx minutes if they make xx number of failed logins. It still doesn't solve the problem, but its a deterrent.
-
Can the login passwords not be encrypted?
That's web security for dummies stuff!!
Yes they're encrypted, however this is whar I've read elsewhere:
"Yes, they are encrypted. Unfortunately it's possible to brute force with about 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
[url]http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125[/url] ([url]http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125[/url])"
MD5 and SHA are designed to be processed quickly. That's why they're not good for storing passwords as brute force attacks get a quick response. The way around it is to make the processing slow because passwords don't need to be decrypted quickly. That's where Bcrypt comes in.
https://en.wikipedia.org/wiki/Bcrypt (https://en.wikipedia.org/wiki/Bcrypt)
-
The danger is that someone who has stolen the database can then use brute force to obtain the user passwords, rather than attempt it on the live site which would swamp the log files.
-
The danger is that someone who has stolen the database can then use brute force to obtain the user passwords, rather than attempt it on the live site which would swamp the log files.
If someone stole the database and it was encrypted with Bcrypt then they could get a password in 12 years or so depending on configuration.
"So we’re talking about [/size]5 or so orders of magnitude[/color][/size]. Instead of cracking a password every 40 seconds, I’d be cracking them every [/color][/size]12 years[/color][/size] or so"[/color]
-
Search the SMF site for bcrypt - you may understand what you find!