The Russians Hacked TGR Forums!

[Core Shot]

Run for your lives! Impeach Trump.

no, seriously, just crossposting this interesting nugget about vBulletin data breach that only shows up under "new posts search" or if you happen to check the "Ask TGR" forum, which is browsed daily by very few people.
Posting here in the main chatter forum as a public service.

http://www.tetongravity.com/forums/s...in-Data-Breach

[mall walker]

A good reminder as always to not reuse passwords across sites. It's 2017, consider using a password manager.

[Danno]

A good reminder as always to not reuse passwords across sites. It's 2017, consider using a password manager.

Pardon my lack of knowledge on the issue, because the number of passwords I have to use is enormous. But how do pw managers work? Even if their security is seriously strong (as I assume it is), can't they be compromised?

[digitaldeath]

Pardon my lack of knowledge on the issue, because the number of passwords I have to use is enormous. But how do pw managers work? Even if their security is seriously strong (as I assume it is), can't they be compromised?

what if you forget the password for the password manager

anyone know a good password manager password manager ?

[stuckathuntermtn]

Glad I probably used some old password I never use anymore.

Why are all these passwords able to be decrypted?
Has anyone ever stolen Acitve Directory passwords? I know any time a user couldn't log in, I would have to reset their password, not look it up for them.
What gives?

[mall walker]

Pardon my lack of knowledge on the issue, because the number of passwords I have to use is enormous. But how do pw managers work? Even if their security is seriously strong (as I assume it is), can't they be compromised?

edit: I never answered how they work. the way mine works is: when I have to login to a website, I hit cmd-\ on my mac, enter my master password, and the password manager enters the password for the site/app in question. all my passwords are as strong as the various sites/applications allow (very long, drawing from as many character sets as permitted) and all unique. I don't know any of them offhand, but I don't have to. 1password works on my phone as well. LastPass is another popular option. both are relatively inexpensive given the benefit, imo.

typically they work in conjunction with a secret key of some sort which they do not keep (up to you) and this is cryptographically quite strong, unable to be recovered, and required to access your information on any new device. https://support.1password.com/1password-security/ <- this is the one I use.

the likelihood of the combination of a good master pw + this key being compromised borders on the computationally infeasible, and at any rate limits you to worrying about 3-letter-acronym state actors, and not the sort of people who hack places like TGR. so even if 1password is breached, without knowing both my hopefully unguessable master password (which they store only salted+hashed, not in plaintext, hopefully using a strong hashing algorithm) AND this almost certainly unbreakable cryptographic master key, it's not really a concern to me. if 1password were hacked tomorrow I would change my master password and basically not worry about it after that. my other passwords would still be almost certainly quite secure.

as DD asks below if you forget the pw for the pw mgr, you are fucked. nonrecoverability of data is a security feature. print out your master key or write it down someplace, and don't forget your master password.

[mall walker]

Why are all these passwords able to be decrypted?
Has anyone ever stolen Acitve Directory passwords? I know any time a user couldn't log in, I would have to reset their password, not look it up for them.
What gives?

I can't speak specifically to vbulletin (what tgr runs on) pw hashing because I am unfamiliar with vbulletin, probably andrew can chime in. "decryption" of a stored password in any remotely modern application should be impossible, as they should not be encrypted at all but rather hashed with a one-way cryptographic hashing algorithm. however, unsalted hashed passwords can be attacked using what is known as a rainbow table: an attacker precomputes the outputs of a variety of common passwords (say, all alpha-numeric combinations <= 10 chars, starting with the most common 1k passwords known) using commonly used hashing algorithms and compares the hashed result. If they match and there is no salt, they know the input password. If you're one of those people who uses "qwerty123" and your email as your pw for say, TGR and your bank, all of the sudden you have a problem.

it is very common for password attacks like this these days - stealing passwords for a useless service (if I'm stealing passwords it's probably not to impersonate you in polyass, rather I'm interested in your bank pw, or better yet your email, from which I can reset all of your other pws) - to use this attack vector, assuming password reuse, targeting the low-hanging fruit of people with one easy-to-brute-force password everyplace.

it also bears mentioning that there is a little bit of that guy lacing up his running shoes getting chased by a bear here... you don't really need to have an impossibly secure password setup to avoid being targeted, you just want to not be one of the low hanging fruit.

but really everyone who has online banking, loans, credit card accounts, etc should be using a password manager. and also probably compare their passwords to that annual "500 most common passwords" list that someone or other puts out.

[PNWbrit]

If the Russians can penetrate the security measures of the TGR server closet then nowhere is safe from them.

[El Chupacabra]

If the Russians can penetrate the security measures of the TGR server closet then nowhere is safe from them.

Dunfee left the door open.

[Dantheman]

Pardon my lack of knowledge on the issue, because the number of passwords I have to use is enormous. But how do pw managers work? Even if their security is seriously strong (as I assume it is), can't they be compromised?

No experience with PW managers, but a good method I read about that I've been using for a few years now to create strong, unique, remember-able passwords is the prefix-suffix method. Basically, you develop a "prefix" that is very strong, different cases, numbers, symbols, no dictionary words, etc. You use this prefix for all your passwords. Then you add an easy to remember "suffix" onto the end of that for each site/system. So, your TGR password is ********tgr, your Facebook password is ********fb, etc. Works pretty well, I rarely forget a password anymore. The complexity of the suffix should be dependent on the importance of the account, i.e. bank/CC account suffixes should be less obvious than TGR or Instagram.

I don't know any of them offhand, but I don't have to.

What happens if you want/need to login through a public or borrowed device?

print out your master key or write it down someplace

This seems like a terrible idea.

[digitaldeath]

my TGR password is an animal

crack it

i dare you

[::: :::]

what year is 24k users from the beginning?

[Rideski]

Clearly Rob Story just fucking with us.

Can't we just get the most recent join date of the 24,500 member to simplify knowing if we are in the group or not?

[mooseknuckles]

+1 for 1Password.

[yeahman]

my TGR password is an animal

crack it

i dare you

Chicken

[Phill]

I use mSecure as a password manager. It's not as seamless as 1 password but seems to be more secure (based on what friends smarter than me tell me).

[mall walker]

What happens if you want/need to login through a public or borrowed device?

This seems like a terrible idea.

If you want to login through a public device use the 1Password app on your phone to get the pws.

Keeping your master key - not master password mind you - written down is basically your only option. Obviously you don't write your password down. You need both to get into the account (only enter it once on a trusted device though; in practice you rarely ever need it) and one is generated randomly and is going to be difficult to memorize.

You're free to disagree of course but I strongly recommend reading about pw reuse attacks. Easy to remember = easy to break. Doesn't take much to try common suffixes, even if they aren't related to the domain, and you bet people do this. You might reconsider your "just change the suffix" approach. The whole idea of passwords is pretty weak but using a pw manager is absolutely the best approach. Also enable 2 factor auth everywhere that permits it.

[Buke]

I highly recommend a password manager. If you don't use one yet, you need to start and you need to be religious about adding every new login to the password manager.

I personally use passwordsafe (https://pwsafe.org/). It get's Bruce Schneier's endorsement and that's good enough for me. I store the file in a cloud location similar to dropbox so that I can access the file from any of my computers. It's free and it works for me but I suspect that it's more cumbersome than some of the better paid options like lastpass 1password, keeper, dashlane, etc.

[Buke]

No experience with PW managers, but a good method I read about that I've been using for a few years now to create strong, unique, remember-able passwords is the prefix-suffix method. Basically, you develop a "prefix" that is very strong, different cases, numbers, symbols, no dictionary words, etc. You use this prefix for all your passwords. Then you add an easy to remember "suffix" onto the end of that for each site/system. So, your TGR password is ********tgr, your Facebook password is ********fb, etc. Works pretty well, I rarely forget a password anymore. The complexity of the suffix should be dependent on the importance of the account, i.e. bank/CC account suffixes should be less obvious than TGR or Instagram.

Your prefix-suffix method might be secure until one password is compromised. Then the whole system is broken. Or maybe I'm misunderstanding how it works.

Compare that to these passwords that were generated by a password manager: *\xWs8Er1{[p or D6d2.Gj4HSW8 or kQN(:8zm5We< The best part is, I never have to type them. I have one relatively simple to remember, hard to crack password to remember and then I let the password manager autofill both the login name and the password for me.

Ultimately, the whole system is flawed but until passwords are a thing of the past, we're going to be dealing with more and more of them. Everyone should find a system that is easy to use and reasonably secure.

This blog post on the topic by Bruce Schneier is worth a read: https://www.schneier.com/blog/archiv..._secure_1.html

What happens if you want/need to login through a public or borrowed device?

In three years, this hasn't been an issue for me.

[Kim Jong-un]

Dear TGR Friends,
Are you worried about the security of your online passwords and bank account information? I would like to invite you to use one of our secure servers located in the Democratic People's Republic of Korea where we have been protecting the privacy of our citizens and friends for over 50 years. We use only the most secure of encryption methods such as modern bit-oriented block ciphers that prevent unauthorized use of your private information. Rest assured that your confidential information is kept safe from the prying eyes of the US and foreign governments without the use of clumsy password managers. The DPRK respects the human ideal of Juche, where man is the master of his domain and his online identity is secure.

Respectfully,
Kim Jong-un
Supreme Leader DPRK

[Schnappi]

Clearly Rob Story just fucking with us.

Can't we just get the most recent join date of the 24,500 member to simplify knowing if we are in the group or not?

24401 were prolly blurred aliases.

24,500 is after whatever my join date is.

You can check https://haveibeenpwned.com/ .

[tango uniform]

my TGR password is an animal

crack it

i dare you

Opossum?

This is interesting stuff. So what about the security image requirements. Is that also "hackable" ?

[TWINS]

my TGR password is an animal

crack it

i dare you

Hedgehog....

[iceman]

my TGR password is an animal

crack it

i dare you

Jackass.

[::: :::]

i reset my password just cuz...and fuck if it didn't cause problems.

app and web access didn't want to accept the same passwords and ended up resetting via both tools with conflicting results.

Left it alone last night and am now resetting once more via web & the app is saying login failed...wtf?