Results 51 to 75 of 198
Thread: WHT hacked DB for sale
-
07-10-2016, 12:16 AM #51Total Nerd
- Join Date
- Feb 2007
- Location
- Florida
- Posts
- 1,932
I didn't say 11,000 years for the average user password. It's 11,000 years for a random secure password. Regardless if the salts were there or not MD5 isn't the best option these days but it's also not as easy to "crack" as people make it out to be. I said this over on LET and I'll repeat it here: "Regardless how the password is stored in a database (as long as it's not plain text), the strength of your password is critical to your own security."
-Joe @ Secure Dragon LLC.
+ OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
+ Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas
-
07-10-2016, 12:19 AM #52Web Hosting Master
- Join Date
- Mar 2009
- Location
- Miami, Florida
- Posts
- 20,777
-
07-10-2016, 12:30 AM #53Web Hosting Evangelist
- Join Date
- Jul 2004
- Location
- Pittsburgh PA
- Posts
- 469
Not good :\. I hope someone provides an update.
▉▊ HostKoi Web Services LLC - Optimized Web Hosting, Reseller, VPS and Dedicated Servers.
▉▊ Services World Wide: US, UK, Europe & Asia
▊▉ True 24x7 Support
-
07-10-2016, 12:40 AM #54Web Hosting Master
- Join Date
- Feb 2012
- Location
- New York, NY
- Posts
- 568
The bad thing is the average Internet user doesn't follow that advice and won't follow that advice and no matter how many times they are told to use a stronger password most will still use something that is easy for them to remember. If 60% of users on a tech forum like WHT used a password that was easily cracked you can bet the figure is much higher on social media sites, shopping sites, etc.
Telling users not to use their street address or birthdate as a password is probably useless but sites can try to enforce implementation of stronger randomly generated unique passwords during the registration process. Sadly a high percentage of sites still allow users to register using weak passwords, and even if you require users to use a stronger password but allow them to pick their own password there is nothing to stop them from using that same strong password on a dozen different sites. The only solution to the problem really would be if sites took away the option for users to pick their own passwords and required the use of a random password that was generated by the site itself at signup.
-
07-10-2016, 12:46 AM #55Total Nerd
- Join Date
- Feb 2007
- Location
- Florida
- Posts
- 1,932
-Joe @ Secure Dragon LLC.
+ OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
+ Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas
-
07-10-2016, 03:14 AM #56Web Hosting Master
- Join Date
- Oct 2006
- Location
- US/EU/UK
- Posts
- 4,886
Hmm, I guess that since the DB was compromised, then the WHT Rules cannot be properly enforced now. Anyone could go and use the data and accounts information for marketing purpose.
HostColor.com ★★ Edge Infrastructure - US Dedicated Servers & Europe Dedicated Hosting ★ since 2000
In 50 U.S. Edge Data Centers & 80 POPs worldwide
24/7 Support ★★ Support Tickets - LiveChat - Phone
-
07-10-2016, 04:43 AM #57Newbie
- Join Date
- Mar 2016
- Posts
- 13
Nothing is 100% safe as long as its online. I don't think it's anyone's fault or anyone to blame. It is a reminder to use different password for every accounts and not use the same password more than once.
I hope that 2FA can be used in WHT soon as it seems to be the way to a more secure accounts in the future.
-
07-10-2016, 11:12 AM #58Web Hosting Master
- Join Date
- Oct 2010
- Location
- New York
- Posts
- 1,582
Come back to check in on things and find this. Password changed!
-
07-10-2016, 11:14 AM #59Web Hosting Master
- Join Date
- Jul 2010
- Posts
- 819
Really.
(a whole of ignorance)
There is nothing wrong with storing salt in the database. EVERY LINUX SERVER DOES THIS. Look at the shadow(5) and crypt(3) man pages if you don't believe me.
The author of that article did not understand the purpose of salt, which is to defeat rainbow tables. It makes zero difference whether the attacker has the salt or not as far as decrypting a single password.
-
07-10-2016, 12:16 PM #60Marketing Maestro
- Join Date
- Dec 2007
- Location
- Isle of Man
- Posts
- 3,068
-
07-10-2016, 12:35 PM #61Newbie
- Join Date
- Sep 2015
- Posts
- 22
-
07-10-2016, 12:42 PM #62Newbie
- Join Date
- Sep 2015
- Posts
- 22
-
07-10-2016, 02:32 PM #63Web Hosting Master
- Join Date
- Feb 2012
- Location
- New York, NY
- Posts
- 568
"Ages ago" is May 2, 1996 if you insist on putting a date on when weaknesses with MD5 were first discussed and cryptographers began suggesting that people switch to something else (Dobbertin's 1996 white paper http://cseweb.ucsd.edu/~bsy/dobbertin.ps ) .
For anyone interested in further reading on MD5, hashes, and passwords: a white paper from SANS Institute, "The Dangers of Weak Hashes"
Focusing on weak hashes and weak user passwords however unfairly shifts the focus to the user in this data breach rather than the real culprit: Penton corporate which was likely hacked due to its own gross negligence in applying security patches to its sites (the penton.com site is running WordPress 3.9.1, released over 2 years ago, which contains a 0day exploit and numerous XSS vulnerabilities, and all 5 of their sites, including WHT, that had their databases stolen are running outdated software that contains known vulnerabilities)
-
07-10-2016, 04:26 PM #64Junior Guru
- Join Date
- Jan 2006
- Location
- Cincinnati, Ohio
- Posts
- 187
Still no official response from the Owners of WHT. Is the law team on holiday or something?
Joshua Combs
-
07-10-2016, 04:40 PM #65Web Hosting Evangelist
- Join Date
- Jul 2004
- Location
- Pittsburgh PA
- Posts
- 469
▉▊ HostKoi Web Services LLC - Optimized Web Hosting, Reseller, VPS and Dedicated Servers.
▉▊ Services World Wide: US, UK, Europe & Asia
▊▉ True 24x7 Support
-
07-10-2016, 06:03 PM #66Web Hosting Master
- Join Date
- Oct 2001
- Location
- Ohio
- Posts
- 8,535
-
07-10-2016, 06:24 PM #67
This got posted at 5pm EST on Friday night. As others have mentioned, it's the weekend. Give them time.
It takes time to investigate these issues, to see where they came from, and what happened.
Put away the pitchforks and nooses, settle down, sit back and wait for things to be resolved. They will, as they always are.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
07-10-2016, 09:25 PM #68Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
-
07-10-2016, 10:39 PM #69Web Hosting Guru
- Join Date
- Oct 2008
- Location
- J
- Posts
- 299
WHT keep silent but they put notification
"We've expired all staff passwords. You'll need to re-set your password by using the Lost Password link found on the login page."- do it your self.
-
07-11-2016, 12:52 AM #70Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
Where is this notification? If that's the case this is very sad, however seeing how little technical investment WHT has received over the year it doesn't surprise me, heading for a slashdot here...
It would be trivial for any competent admin to bulk reset passwords forcing the user to do an email password reset next time, then they should upgrade to more secure credential storage with a random salt per each user, and of course disclosure should of happened on Friday and subsequent work to find, understand and fix the attack vector.
Truely disappointing. .MattF - Since the start..
-
07-11-2016, 01:23 AM #71Newbie
- Join Date
- Nov 2012
- Posts
- 24
-
07-11-2016, 01:58 AM #72Disabled
- Join Date
- Nov 2004
- Posts
- 89
-
07-11-2016, 02:29 AM #73Web Hosting Master
- Join Date
- Nov 2014
- Location
- Australia
- Posts
- 1,644
This is concerning.
No two factor authentication for password changes either. Which is also pretty old.CPK Web Services
Multi Award winning Managed web hosting.
Find out more. https://www.cpkws.com.au/mhosting.php
-
07-11-2016, 08:00 AM #74Aspiring Evangelist
- Join Date
- Feb 2002
- Location
- Indiana
- Posts
- 422
Yeah quotes like his gives you real confidence in their work.
@AnthonyDL doesn't seem this announcement is showing for everyone.
-
07-11-2016, 08:10 AM #75Best Customer Service..ALWAYS!
- Join Date
- Feb 2007
- Location
- Isle Of Anglesey, UK
- Posts
- 1,468
Well, at least this time, they did not deface WHT
Similar Threads
-
Very interested on the status of WHT hacked db restore, Any one else?
By Manageandsupport_com in forum WHT Announcements, Feedback and QuestionsReplies: 16Last Post: 04-06-2009, 07:23 PM -
US and Canada Telephone Area Code DB for sale!
By Douglas in forum Other Offers & RequestsReplies: 2Last Post: 06-09-2006, 02:27 PM -
site + large DB for sale with some traffic + others
By DNGeeks in forum Other Offers & RequestsReplies: 7Last Post: 10-15-2004, 10:29 AM -
30+ Domains for sale - Discounts for WHT users
By deepensky90 in forum Other Offers & RequestsReplies: 9Last Post: 05-26-2003, 08:17 PM