Possible Data Breach Warning

[Bryanpoprobson]

Just had this come up as a warning... Is anyone aware of this on here?


Bryanpoprobson
••••••••••
Found in data breach
Just now

[Zakalwe]

Are you using Chrome?

[Bryanpoprobson]

Occasionally..

[bknight]

Are you using Chrome?

Never.
A colleague and I spent the better part of three days uninstalling Chrome, so that the infected computer could do emails again.  I have been very careful to watch those add-ons when installing other software that carries Chrome with it.

[Zakalwe]

Occasionally..

It now tells you if your username and passwords have been breached. The warning it displays sounds like the one that you received.

Are you using Chrome?

Never.
A colleague and I spent the better part of three days uninstalling Chrome, so that the infected computer could do emails again.  I have been very careful to watch those add-ons when installing other software that carries Chrome with it.

Sounds like he knew exactly what he was doing if it took 3 days to install a browser....

[Bryanpoprobson]

It was referring to this site, this was my concern.

[bknight]

Occasionally..

It now tells you if your username and passwords have been breached. The warning it displays sounds like the one that you received.

Are you using Chrome?

Never.
A colleague and I spent the better part of three days uninstalling Chrome, so that the infected computer could do emails again.  I have been very careful to watch those add-ons when installing other software that carries Chrome with it.

Sounds like he knew exactly what he was doing if it took 3 days to install a browser....

We were uninstalling, as it takes maybe 2 minutes to install, but uninstalling finding all the links and files that point to Chrome was a bother.

[LunarOrbit]

Just had this come up as a warning... Is anyone aware of this on here?

I haven't encountered that error before. So it was Chrome warning you, or the forum?

The forum stores your password encrypted, so any breach of the forum database would not reveal your password. But I'd recommend changing your password just to be safe.

On my end, I have just installed a "fresh" copy of the forum software to make sure there aren't any security issues with it, and I also removed the Tapatalk extension (it's possible they had a security breach on their end that might affect anyone that uses the app to access the forum).

[grmcdorman]

LO: Password stored encrypted or hashed? Encrypted is reversible, hashed is (in theory) not. I would hope the latter; most modern systems use hashes.

(Hashes can also be subject to attacks, depending on the hash algorithm and the way it is used, BTW; again, a modern implementation will use best practices to make that hard).

[LunarOrbit]

LO: Password stored encrypted or hashed?

They are hashed.

[grmcdorman]

That's what I thought; of course as a software developer (with an interest in security) I like to use the technically correct terms. Thanks.

[JayUtah]

The problem with hashes is that you still need long and/or interesting passwords, and not to reuse them at other sites.  For all the major hash algorithms, there already exist lists of precomputed hashes from combinations of all the keyboard characters.  As of about five years ago, the list was up to all combinations of six or fewer characters.  So if your password is shorter than six characters, and someone obtains the password file/table for a site, the password that generated the stored hash is effectively in the clear and can be used to exploit other resources a hacker might be able to associate with your identity.  For example, my password here is not the same as my password at other forums.  So while someone might be able to crack the hash here and obtain my password here in plain text, it would be useless at other forums where I also use the name JayUtah.

[LunarOrbit]

That's what I thought; of course as a software developer (with an interest in security) I like to use the technically correct terms. Thanks.

Yeah, using "encrypted" interchangeably with "hashed" is a bad habit of mine that I need to break. But I think most people don't know what "hashed" means and if you explain it to them they will just say "Oh, so you mean they are encrypted?".

The problem with hashes is that you still need long and/or interesting passwords, and not to reuse them at other sites.

That was my concern with having Tapatalk connected to the forum. I can do what I can to ensure the forum software is secure, but once a third party gets involved in how people use the forum it is no longer 100% in my hands. I don't know for sure that Tapatalk is a problem since they haven't announced a security breach, but by removing it's access to the forum I'm removing it as a potential security hole.

The only other 3rd party add-on I've installed for the forum is one that adds a bbcode for embedding YouTube videos into the editor. Theoretically it could be logging people's passwords or something, but I doubt it.

[grmcdorman]

@Jay: As I'm absolutely sure you know, that's what salts are supposed to be for; they should make every instance of the same password different (and make precomputed hashes pointless). Any credential hashing that isn't also using a salt is, from a security standpoint wrong.

So how do these precomputed tables work? (I vaguely recall rainbow tables from when I watched some online courses on security; is that what they are?)

[JayUtah]

Right, the tables would only work if the passwords aren't salted, which (I'm told) still isn't universal practice.  And how they work is very straightforward.  You have a list of hashes -- say MD5 or SHA256 -- ordered or indexed for fast search, and the corresponding plaintext that they were generated from.