

Ubuntu forums breached - all passwords compromised - boothead
http://ubuntuforums.org/announce.html?t=534261

======
welder
So glad I use a random different password for EVERY account.

~~~
tommaxwell
Not sure if sarcasm, or you're saying you use the same password on every site.

~~~
welder
It wasn't a joke. I create a 60+ character random password for every website.
There are many tools available to help you manage your passwords.

I do have an ubuntuforums.org account and I DID use a random password so I WAS
glad that I didn't have to rush to change all my passwords.

------
lcedp
Well, salted hashed - not exactly "passwords compromised"?

~~~
harrytuttle
As good as.

$stored = md5(md5($password) + $salt);

That is the simple hash function.

~~~
sirmarksalot
Confused here. Are you saying that ease of implementation makes it easy to
reverse? Or are you agreeing with GP?

~~~
harrytuttle
Sorry it's easy to reverse.

There are sites you can just go to and they'll crack the passwords for you in
no time at all.

Edit: aware of rainbow tables and salts and how hashes work etc etc. They are
easy to crack if on password lists which they mostly are these days if you
have a shit password which is 90%+ of us. Not only that, the $salt on a good
chunk of vbulletin sites from vb2 days is not a strong salt.

Go here to get people to crack passwords for you:
[http://forum.md5decrypter.co.uk/default.aspx](http://forum.md5decrypter.co.uk/default.aspx)

With respect to the feasibility, it's really easy to do an md5 and you don't
just do the whole list, you pick interesting email addresses and start there.

~~~
irahul
The purpose of the salt is to invalidate rainbow tables. With salt, the only
way to reverse is to compute all combinations. With advances in GPU, it has
become easier for some hash functions, but it easnt' easy to reverse by any
measure.

What are these sites which will crack the passwords in no time? Try reversing
this:

38b2cf16f7be6a1b33097084bed6a4b0:lsdjfldsjlfds

~~~
elchief
it's asdfasdf

~~~
irahul
Umm...no.

    
    
        In [17]: '38b2cf16f7be6a1b33097084bed6a4b0' == hashlib.md5('lsdjfldsjlfds' + 'asdfasdf').hexdigest()
        Out[17]: False

------
nnwa
As I said when I previously commented. I find it pretty ironic that these kind
of breaches could have been avoided by simply creating a whitelist for their
admin panel. This isn't rocket science. The majority of breaches of these size
that keep occurring are password reuse, or open admin panels (bruteforce
attacks). Who needs a vulnerability when an attacker can simply look up the
Administrators on databases they already have?

------
lukeman
It would be nice if they'd allow you to test whether your email was in the
data. As-is I'm left wondering if I ever had an account.

~~~
seewhat
I believe Canonical sent warning emails to ubuntuforums.org account addresses.

------
narsil
Previous discussion here:
[https://news.ycombinator.com/item?id=6078588](https://news.ycombinator.com/item?id=6078588)

------
rob22
its a forum.people simply asking their doubts. why they were hacking these
sites.. I can't figure it out exactly..

~~~
aram
Email addresses + passwords + possibly other things as well.

Many people reuse the same email and password on other services/websites, so
this is pretty valuable and sensitive information.

------
mukundmr
I hope they used something sensible like bcrypt for encryption instead of MD5
which is too easy to crack these days.

~~~
kachnuv_ocasek
It's not encryption, it's hashing. Also, I don't see how MD5 is easy to crack.

~~~
chmodd
MD5 is so fast on GPUs, you can do some pretty ridiculous dictionary attacks
in a matter of minutes (like trying every combination of words that has ever
been written in a book or posted online - using google's n-gram corpus for
example). Then you have plenty of time to try letter substitutions (3 for e),
combinations such as word + number + word, etc. This doesn't apply of course,
if your password is a long string of random characters.

------
jlebrech
this is why I always use a memorable low-entropy password for forums and high-
entropy from emails.

any unimportant site that demands a high security password (or low-entropy
with silly rules) get put into my keypass.

------
blablabla123
note to myself: don't use primary mail account for website registrations

~~~
sspiff
I switched to using a few registration-specific emails after getting my own
domain: spambox@example.com for really dodgy sites or sites I suspect will
generate a bunch of crap periodical emails, and register@example.com for the
sites I have a little more faith in.

It allows for much easier filtering of my email as well: I only get the emails
I care for in my inbox.

~~~
ygra
I tend to use things like “sitename@example.com”. That way I can also see who
gave my account details away when spam appears.

~~~
maaaats
I use somename+sitename@example.com, since I don't use catch all and don't
want to create a new e-mail for each registration. Most e-mail providers will
ignore the +sitename part and send it to your inbox.

------
trvz
"If they can't keep their forums secure, why should I even use their operating
system?"

~~~
ygra
Because very likely very different people work on administering the fora and
developing the operating system.

