SECURITY: change passwords, right now !

[Graveen]

Hello community,

Due to some problems in the website troubleshooting, it is HEAVILY suggested to change the following passwords:

- forum account
- daocportal account
- Storm ingame account (type /password to change it from ingame)


The risk is mainly an encrypted password catch, that could be break in a couple of hours.
Thanks for your understanding.

[brink668]

The spam setting that is blocking gmail users from signing up is also preventing me from changing password.

[Tolakram]

The spam setting that is blocking gmail users from signing up is also preventing me from changing password.

I was able to change passwords with Firefox, no problem. ????

[johndoe]

phpBB encryption is one way only, there's no way to decrypt it back into original state.

daocportal account - whats that?

storm ingame account? hmm. sounds like you let someone else gain access to the database.

there's something you not telling us, not all of the truth

[Dunnerholl]

phpBB encryption is one way only, there's no way to decrypt it back into original state.

daocportal account - whats that?

storm ingame account? hmm. sounds like you let someone else gain access to the database.

there's something you not telling us, not all of the truth

its no encryption its simply hash values. and there are huge hashdatabases that u can use for reverse lookups, rainbow tables...and even if not u can create them.

i think the problem would be for people using the same pw for all kind of things, so if one is found it works for all

[johndoe]

There're thing worth breaking in to, and there're things not worth the time spent on breaking in to. None of the mentioned above accounts are worth the time the hacker needs to spend to write a program to break into. Hackers do it for either fame or profit, nothing else. Most of the people that play on Storm, and have some value to their accounts have no idea what programming is, not even to mention that they are absolutely clueless about where even to begin about getting someone elses password. Its like getting paranoid about some nasty hacker breaking into your screen saver to readjust timer delay, and thus changing its password every week. In other words, all this fuss about mass password change is absolutely pointless; at least here.
I've been in the internet programming industry since spring 1995, and since that time I've never heard any hacker to to actually waste his/her time on something like what we have here. Unless, I repeat myself... there's something you not telling us, not all of the truth

[Wigberg]

yep i agree with dunner

btw .. what about a new cms ? phpnuke, phpkit, joomla etc ..
with more security settings ?.. and lesser exploits..

phpbb is to known .. i think you know what i mean ..
but the mainproblem woulld be .. how to migrate the userdata from phpbb into the new cms ..

[Dinberg]

and since that time I've never heard any hacker to to actually waste his/her time on something like what we have here.

Sadly it seems you've never had to deal with the few charming individuals who frequent DoL solely for the purpose of causing mayhem. The sad truth is we get alot of script kiddies come through here, who don't neccessarily have skill or intelligence but who have time on their hands and a grudge for a ban to boot. We don't announce when someone does try anything because they never get anywhere anyway and it would cause paranoia. People have tried in the past though, and I'm sure people will continue to.

While you've never heard of anyone wasting their time to try their 1337ness here, I certainly have over my time. They dont stand a chance, but for the sake of security I'd support Graveen in ensuring that we dont let them have more of a swing at it.


As a side note, daoc portal accounts are the worst. Thats not because people 'hack' them, its because admins cant seem to ever learn the difference between trustless and trustworthy. Why do people insist so heavily on giving their account details to seemingly anyone?

[roflson]

There're thing worth breaking in to, and there're things not worth the time spent on breaking in to. None of the mentioned above accounts are worth the time the hacker needs to spend to write a program to break into. Hackers do it for either fame or profit, nothing else. Most of the people that play on Storm, and have some value to their accounts have no idea what programming is, not even to mention that they are absolutely clueless about where even to begin about getting someone elses password. Its like getting paranoid about some nasty hacker breaking into your screen saver to readjust timer delay, and thus changing its password every week. In other words, all this fuss about mass password change is absolutely pointless; at least here.
I've been in the internet programming industry since spring 1995, and since that time I've never heard any hacker to to actually waste his/her time on something like what we have here. Unless, I repeat myself... there's something you not telling us, not all of the truth

MD5 has embarrassingly large databases of precomputed hashes. It requires absolutely 0 time or effort on the part of the person checking passwords, a simple shell script can do it automatically over the course of a few hours (depending on # of users, likely faster with a small DB)

Sites (phpbb or otherwise) get compromised all the time, and taking pre-emptive security measures should be APPLAUDED, not whatever the hell it is you're currently doing. If more people took measures like this, maybe so much internet traffic wouldn't be compromised hosts.

And when you narrow the focus to a 'hacker site' itself (let's face it, server emulation has a bad reputation), you're likely to find at least a few people with an axe to grind.

I seriously can't believe your 1995 claim with the rest of your line of thinking there. Unless you haven't learned anything since then.

[Graveen]

/shrug... there are low but real chances someone get access to the website databases. For numerous reasons, theses dbs are containing some informations that could harm from forum accounts to Storm accounts.

Everyone change their passwords, that's all. My experience tends to proove exactly the reverse of what you are saying JD, concerning overall security: "if the worse is possible, the worse will happen."

I HOPE the risk is low, and i HOPE it won't happen

[Tolakram]

In other words, all this fuss about mass password change is absolutely pointless; at least here.
I've been in the internet programming industry since spring 1995, and since that time I've never heard any hacker to to actually waste his/her time on something like what we have here. Unless, I repeat myself... there's something you not telling us, not all of the truth

Our security measures are based on past behavior specific to this community and not some grand worldwide hacking risk.

Some information was exposed that, if someone wanted to, could be used to do damage specific to us and DOL.

Your attitude is needlessly confrontational, again.

I'm sorry if you were hoping we'd provide step by step instruction for exactly what someone could do with information they may or may not have obtained.

[baradien]

well for me it's no problem if i don't change my password lol
i will still find it anyway.

[Graveen]

Thread necro ! TY Tola to link this topic.

Here comes the real story: i was working on the new webserver. Precisely, Apache was not completly configured.

After a long time of work, i had to eat. Nice, i was hungry ! I had the genius idea to reboot, to check if all the services were starting fine. As i hate to lost my time, i rebooted just before going dinner.

When i get back, all services were ok, but... not php interpreter installed, so it displayed the *content* of .php files.... Argh !
At this moment, if someone tryed the to access config.php file (manually in the url bar), he would have catch the database password, which contains all hashed passwords in MD5:
- we were replicating Storm DB, so there was Storm accounts
- we are hosting Portal related tables, including server accounts
- and of course forum tables

It took me 25 minutes to eat, this was a non public server *but* internet accessible with URL (such test.dolserver.net), so guys, you know the only thing to do in such a case: full disclosure and damage control.

Remember, remember !