dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
48381
share rss forum feed


lskohn

join:2000-08-17
Chicago, IL
reply to Hall

Re: site user password intrusion info

didn't beat many here: 8/17/2000...bad days back then for Ameritech DSL!

Well, it just shows it's a good thing I've been squishing out other passwords recently, but now I have to run through KeePass (at least I've had that backup!) and figure out what needs changing.

I appreciate the tutorial a few pages back on generating strong site-specific passwords...I could never figure out how to do that in a way that wouldn't overtax this ancient mind.

Off to change a few more sites...


hurleyp

join:2000-06-20
Ottawa, ON
Reviews:
·Rogers Hi-Speed

1 recommendation

reply to justin
Password notification received, and password changed. I would like to see just what format of passwords DSLR accepts. I use a password store that lets me use very long and very secure passwords that I do not have to commit to memory. Will the DSLR system accept passwords that are 64 characters long comprised of mixed case/digits/special characters? Or is there a limit of, say, 8 characters with no special characters? I've seen sites that will seemly accept a long password via paste, but quietly truncate the entry at the text box.

I want to create as ugly a password as possible.
--
"I reject your reality and substitute my own."
Expand your moderator at work

stlouisdsl1

join:2001-06-10
Saint Peters, MO
reply to justin

Re: site user password intrusion info

I haven't participated here in ages, I was one of the "lucky" ones who had their email/password compromised, I initially panicked but quickly figured out it was unique to this site so no harm no foul.

Thanks for letting us know in a timely fashion, hopefully the hackers didn't have enough time to screw anyone over.


JRBlood
Premium
join:1999-12-28
Syracuse, NY
Reviews:
·Verizon FiOS
reply to fatness
said by fatness:

I just had the system generate another random password and send it to the email address on your account.

Could you do the same for me? I still haven't seen the email after two attempts and I just checked the antipspam system and it's not in there.


Andrew J
Premium
join:2001-11-09
Lancaster, PA
reply to justin
Got the message and don't see any other problems.


jig

join:2001-01-05
Hacienda Heights, CA

1 edit
reply to justin
i can only hope that the other sites i'm a member of are as forthcoming, since it appears that a ton are being hacked. i wonder about arstechnicaforums.

i changed the password here (i must have caught your email before the forced-new), and changed the password in the associated gmail account (how can i be mad at you when i've been lax enough to cross use the same password?).

i looked at past login attempts (available at the bottom of the gmail page when you're logged in) and didn't see anything out of the ordinary, though gmailmanager checks often enough that another IP could have been already obliterated from the logs (reminds me - google should change that log so that it's not the last 20 login attempts, but the last 20 different IPs).

i also checked my gmail recovery settings - you can't see the answers to the personalized questions, so those are probably secure (depending on cross referencing other hacked sites, or some gmail hack), and the recovery email address for my gmail account (the one you can use to recover your password to the gmail account) has a password different from the old dslreports password AND the associated gmail account, so my gmail recovery settings appear to be completely secure from this hack.

if there is anything i would add to your warning email, Justin, is that a user that has cross used their dlsr password for the associated email account should double check their recovery settings for the associated email account to make sure: 1) that the cross-used password isn't also the password for the associated email account recovery email address (there has got to be a less confusing way to write that); 2) that the recovery settings for the associated email account haven't otherwise been changed.

question 1: is there any reason to also turn off POP access to the associated email account if you've already changed it's password? like: do we have to worry about timely password propagation across google's gmail server farm?

question 2: how secure are the new passwords? are you reasonably sure that the intruders are now blocked from accessing things they shouldn't have access to? once you encrypt/hash the email accounts and passwords for dslr, will you update us, and should we go ahead and plan on changing our passwords again then?

edit - whoops, actually i changed my password before the forced-new was enforced, so had to redo again this morning. hopefully we'll learn when the passwords are encrypted, and then i'll change it to something more permanent.


bjf123
We Want... A Shrubbery
Premium
join:2000-02-11
Hamilton, OH
reply to hurleyp
said by hurleyp:

Password notification received, and password changed. I would like to see just what format of passwords DSLR accepts. I use a password store that lets me use very long and very secure passwords that I do not have to commit to memory. Will the DSLR system accept passwords that are 64 characters long comprised of mixed case/digits/special characters? Or is there a limit of, say, 8 characters with no special characters? I've seen sites that will seemly accept a long password via paste, but quietly truncate the entry at the text box.

I want to create as ugly a password as possible.

I'd be curious about this, too. I got the e-mail from Justin this morning and quickly changed my password, though it's in the same general format I use with a lot of sites. I recently started using Lastpass (www.lastpass.com) to manage my passwords. Since it can generate long, complex, passwords and then auto fill them, I'm thinking of changing all my online passwords to something unique for every site.
--
Golf is a relatively simple game, played by reasonably intelligent people, stupidly.


whocares256
Tag?, What Tag? TAG You're it.

join:2002-03-10
Anna, TX
Reviews:
·Grayson County T..
·DSL EXTREME
·Callcentric
reply to justin
Changed Password. Join date is 2002-03-10
(10th year!) so I'm on the early side of the history of the website. I have groups of passwords i use on other sites. Most other sites the usernames are different, but same password. That is now changed. I use the base password and then different passwords on the end of that. I would recommend a rotation password. At work my password is changed every 90 days. The only thing I worry about is it is 8 Charters long. I will now be researching SQL injection to see what SQL/SQL injection is.

humor\ Best firewall is the 3 inch air gap from the network cable being unplugged. \humor


mgullick

join:2001-03-24
Chico, CA

1 edit
reply to psx_defector
said by psx_defector:

said by nklb:

Is there any correlation between the user accounts affected? (Similar member numbers or join date? frequent posters? seemingly completely random?)

Judging by the posters on this thread, it sounds as though they got the first part of the table. Oldest join date is 2002. So if they were slurping the table down, it would start from the first account and go forward.

It definitely isn't by amount of posts, I've been lurking in the background for a bit. Just never felt like posting anything.

Actually my join date is older than stated above.

join:2001-03-24

There was one site that used the password in question: this one. I had actually used it as the password on a couple of routers but I changed those as well after receiving the notification mail.
--
Madness takes its toll. Please have exact change.


Weirdal
Premium
join:2003-06-28
Grand Island, NE
kudos:21

1 edit
reply to Rick
said by Rick:

First..Justin, as far as I'm concerned if you spend one single minute beating yourself up over this on my or many people i'm sure who frequent this site, then you spent one minute too long.

Actually this was a pretty huge security mistake that should never had happened. 135,000+ users now have their passwords in someone's hands. Your post belongs in a topic like this, not this one. He absolutely should beat himself up about this.

I am glad I woke up to find this thread though.
--
»[Info] The DSLR Orangeface extension 2.0!


trebzon

join:2001-09-03
Grandville, MI
reply to justin
I can say this wrecked havoc with me. (As a very old account it was from the days that I used a coordinated email and password for most accounts). I spend most of the morning hours (12 AM - 1:30 AM) auditing my accounts and vulnerability. Although I wasn't pleased to get the email I am happy in the rapidity of your communication and the openness of it as well. I trust that this will mean an update to security (as mentioned) as well.


CylonRed
Premium,MVM
join:2000-07-06
Bloom County
reply to Weirdal
Not all of the accounts were compromised - last number I read was 9K.


Hall
Premium,MVM
join:2000-04-28
Germantown, OH
kudos:2
said by CylonRed:

Not all of the accounts were compromised - last number I read was 9K.

Isn't that what they always say ?


Starfish
Per Ardua Ad Astra
ExMod 2002-04
join:2000-12-28
Netherlands
reply to justin
Dear Justin,

First of all, I must admit that I'm somewhat surprised by the storage of passwords in plain text. Then again, just like tonycpsu, I do develop software as well and I too would hate it if all my skills would be judged against a single bug or moment of failure. Software will basically never be perfect*, and in all the years that I'm a member here (quite a while) you and the rest of the team have done an awesome job to keep things running while growing in both size and functionality.

But sometimes things just happen, sadly this attack has hit your website.

Having an compromised/affected user account, I appreciate it very, very much that you are honest and clear in your e-mail. Many companies/people would not have the guts to do this.

And please consider switching to a hashed (+salt) password when you've got the time for it/all of this behind you!

* Unless one takes extreme measures, e.g. the process/team behind the software for the Space Shuttle.


burner50
Proud Union THUG
Premium
join:2002-06-05
Fort Worth, TX
kudos:1
reply to justin
I would appreciate a reply to my E-Mail.


Bulgaro
Android, There's a hack for that

join:2001-05-24
Cape Coral, FL
reply to justin
Thanks Justin, I am keeping a close eye on my email account, got to love Google for their two step verification.
Just a quick note, I've been a member for over 10 years and this the first time something like this happened.
It says a lot about your commitment to your members, thanks again.

redblkjck
Premium
join:2001-11-07
Pasadena, MD
reply to justin
no problems here, never used same password twice. thx for keeping informed.


PapaDos
Cum Grano Salis
Premium,MVM
join:2001-02-08
Lasalle, QC
kudos:3
reply to justin
Just to clarify:
- They got the Email we used to register at DSLR
- They got our DSLR password
So this could be bad only if we used our DSLR password somewhere else.

Did they also got our DSLR user name or user ID ?
Did they get any other information that can help those idiots to identify us (location, Zip code, etc.) ?
--
Festina Lente


Metal Head
Premium
join:2001-02-15
Escondido, CA
reply to justin
Got the email this morning and promptly changed my password, luckily this is the only site with that password so hopefully I should be all good.

Thanks Justin for the quick response.
--



felony
guiding you home
Premium
join:1999-12-05
Aurora, CO
reply to justin
thanks for the quick heads up.

any got a good recommendation for a program like roboform/lastpass etc that manages passwords?
--
i control airplanes.


Fir_Na_Tine
Giggity Giggity
Premium
join:2001-01-03
Sout Joisy
reply to justin
Thanks for the prompt notice and owning up to everything Justin. I won't beat you up, shit happens and in the 10 years I been here this is the first time I remember it. I'm not as techie as most here so I don't know if its something you did or didn't do but I'm confident you'll make things right.
--
"When the power of love overcomes the love of power, the world will know peace."
-Jimi Hendrix


R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
reply to justin
I echo PapaDos' questions. What about UserName?

Also, you may had stated this somewhere, but just to clarify:

If our Email address is listed as "Not Public" on our page, was our Email address taken?

Now the dumb question - eh, I looked on my "Page" and could not find a link to change my password! Where is it? (I'll figure it out, but maybe a quick link on the user Page might be helpful!)
____________

Add: above is the list of My Links. Where do I go to change my password???


lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
kudos:57


Hall
Premium,MVM
join:2000-04-28
Germantown, OH
kudos:2
reply to burner50
said by burner50:

I would appreciate a reply to my E-Mail.

Did justin's original e-mail to you have "I will try to reply when I am able" ? I suspect he's busy....


R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
reply to lilhurricane
Thank you! Got it.

Duh, and I do see that link list in Justin's first post. I just could not find it from my page!


Redbook

join:2000-12-23
united state
reply to PapaDos
Same question. Did they get the user name and email address or just the email address?


Hall
Premium,MVM
join:2000-04-28
Germantown, OH
kudos:2

1 recommendation

reply to R2
said by R2:

I echo PapaDos' questions. What about UserName?

Also, you may had stated this somewhere, but just to clarify:

If our Email address is listed as "Not Public" on our page, was our Email address taken?

Generally speaking, who cares about the username (and password) for this site. As he pointed out, the thing to worry about is if people use the same e-mail and password for logins at other sites such as online banking, ebay, Paypal, etc.

And whether or not your e-mail is *displayed* on your profile page here isn't relevant. They got access to the back-end of the site, not the front, visible side.


openupshop

join:2000-11-25
Chandler, AZ

1 recommendation

reply to justin
I'm so glad I got this email last night to my phone. Thank you Android! I went ahead and changed all my passwords immediately.

Thank you Justin.

psx_defector

join:2001-06-09
Allen, TX
kudos:1
reply to baloosh
said by baloosh:

Oldest join date so far: 8/3/2000.

EDIT: CRAP! Beaten by dudes even older (on this site) than me!

This is what I get for not proofreading my own post.

I meant YOUNGEST, not oldest. Some 1999, myself at 2001. It only looks like it's us old timers, and if it's sequentially in the database it would make sense that it was the first part of the database that was slurped.