Page 3 of 8 FirstFirst 123456 ... LastLast
Results 51 to 75 of 198
  1. #51
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    Quote Originally Posted by domainbop View Post
    According to Motherboard it only took 2 hours for the hackers to crack 60% of the passwords from the 5 Penton sites because the salts were also kept in the same databases. A far cry from 11,000 years for the average user password.

    The databases are searchable on leakedsource (according to them all Penton sites were hacked but only 4 of the DBs are currently available) and the WHT user info that was hacked on 7/4 appears to be: "username, Possible plaintext password, hash, email, register_date, last_login, birthday, ipaddress, salt" .
    I didn't say 11,000 years for the average user password. It's 11,000 years for a random secure password. Regardless if the salts were there or not MD5 isn't the best option these days but it's also not as easy to "crack" as people make it out to be. I said this over on LET and I'll repeat it here: "Regardless how the password is stored in a database (as long as it's not plain text), the strength of your password is critical to your own security."
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  2. #52
    Join Date
    Mar 2009
    Location
    Miami, Florida
    Posts
    20,777
    Quote Originally Posted by ZKuJoe View Post
    I agree 100% but I am guilty of this also. For some reason I didn't have an entry for WHT in my password manager and I found I was using an old password that I was using on another forum that wasn't in my password manager either. This thread is the only reason I even checked the password since I rarely ever have to login to it.
    I used to be guilty of it for some sites but I saw the light a few years ago, I moved to strong random passwords (generated by a password manager) for all sites.
    Keith I Myers
    KMyers.me The rantings of a lunatic
    Join me on Technical.chat

  3. #53
    Join Date
    Jul 2004
    Location
    Pittsburgh PA
    Posts
    469
    Not good :\. I hope someone provides an update.
    ▉▊ HostKoi Web Services LLC - Optimized Web Hosting, Reseller, VPS and Dedicated Servers.
    Services World Wide: US, UK, Europe & Asia
    ▊▉ True 24x7 Support

  4. #54
    Join Date
    Feb 2012
    Location
    New York, NY
    Posts
    568
    Quote Originally Posted by ZKuJoe View Post
    I didn't say 11,000 years for the average user password. It's 11,000 years for a random secure password. Regardless if the salts were there or not MD5 isn't the best option these days but it's also not as easy to "crack" as people make it out to be. I said this over on LET and I'll repeat it here: "Regardless how the password is stored in a database (as long as it's not plain text), the strength of your password is critical to your own security."
    The bad thing is the average Internet user doesn't follow that advice and won't follow that advice and no matter how many times they are told to use a stronger password most will still use something that is easy for them to remember. If 60% of users on a tech forum like WHT used a password that was easily cracked you can bet the figure is much higher on social media sites, shopping sites, etc.

    Telling users not to use their street address or birthdate as a password is probably useless but sites can try to enforce implementation of stronger randomly generated unique passwords during the registration process. Sadly a high percentage of sites still allow users to register using weak passwords, and even if you require users to use a stronger password but allow them to pick their own password there is nothing to stop them from using that same strong password on a dozen different sites. The only solution to the problem really would be if sites took away the option for users to pick their own passwords and required the use of a random password that was generated by the site itself at signup.

  5. #55
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    Quote Originally Posted by domainbop View Post
    The bad thing is the average Internet user doesn't follow that advice and won't follow that advice and no matter how many times they are told most will still use something that is easy for them to remember. If 60% of users on a tech forum like WHT used a password that was easily cracked you can bet the figure is much higher on social media sites, shopping sites, etc.

    Telling users not to use their street address or birthdate as a password is probably useless but sites can try to enforce implementation of stronger randomly generated passwords during the registration process. Sadly a high percentage of sites still allow users to register using weak passwords, and even if you require users to use a stronger password but allow them to pick their own password there is nothing to stop them from using that same strong password on a dozen different sites. The only solution to the problem really would be if sites took away the option for users to pick their own passwords and required the use of a random password that was generated by the site itself at signup.
    I agree, users don't put as much effort into their own security as they should. Most sites should have 2FA these days anyways to make life easier for clients to protect their accounts.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  6. #56
    Join Date
    Oct 2006
    Location
    US/EU/UK
    Posts
    4,886
    Hmm, I guess that since the DB was compromised, then the WHT Rules cannot be properly enforced now. Anyone could go and use the data and accounts information for marketing purpose.
    HostColor.com Edge Infrastructure - US Dedicated Servers & Europe Dedicated Hostingsince 2000
    In 50 U.S. Edge Data Centers & 80 POPs worldwide
    24/7 Support ★★ Support Tickets - LiveChat - Phone

  7. #57
    Nothing is 100% safe as long as its online. I don't think it's anyone's fault or anyone to blame. It is a reminder to use different password for every accounts and not use the same password more than once.

    I hope that 2FA can be used in WHT soon as it seems to be the way to a more secure accounts in the future.

  8. #58
    Join Date
    Oct 2010
    Location
    New York
    Posts
    1,582
    Come back to check in on things and find this. Password changed!

  9. #59
    Quote Originally Posted by Mujahed-Developer View Post
    Really MD5 is not an issue ?!!!!!
    Really.

    Quote Originally Posted by domainbop View Post
    also from that Motherboard article:
    (a whole of ignorance)

    There is nothing wrong with storing salt in the database. EVERY LINUX SERVER DOES THIS. Look at the shadow(5) and crypt(3) man pages if you don't believe me.

    The author of that article did not understand the purpose of salt, which is to defeat rainbow tables. It makes zero difference whether the attacker has the salt or not as far as decrypting a single password.
    raindog308
    LowEndTalk administrator, LowEndBox editor

  10. #60
    Join Date
    Dec 2007
    Location
    Isle of Man
    Posts
    3,068
    Quote Originally Posted by raindog308 View Post
    Really.



    (a whole of ignorance)

    There is nothing wrong with storing salt in the database. EVERY LINUX SERVER DOES THIS. Look at the shadow(5) and crypt(3) man pages if you don't believe me.

    The author of that article did not understand the purpose of salt, which is to defeat rainbow tables. It makes zero difference whether the attacker has the salt or not as far as decrypting a single password.
    Salt only has one place in the world and it's on chips.

    /end

  11. #61
    Quote Originally Posted by raindog308 View Post
    Really.
    Nope, MD5 algorithm is considered weak ages ago, i recommend you to read more about how it works and its issues.

  12. #62
    Quote Originally Posted by WoodiE55 View Post
    Yes don't let others fool you into thinking MD5 is even remotely secure - it's not. Check out hashcat, it's incredibly fast - even without using GPU's.
    LOL, I did mention that there are more advanced tools and also techniques.

  13. #63
    Join Date
    Feb 2012
    Location
    New York, NY
    Posts
    568
    Quote Originally Posted by Mujahed-Developer View Post
    Nope, MD5 algorithm is considered weak ages ago
    "Ages ago" is May 2, 1996 if you insist on putting a date on when weaknesses with MD5 were first discussed and cryptographers began suggesting that people switch to something else (Dobbertin's 1996 white paper http://cseweb.ucsd.edu/~bsy/dobbertin.ps ) .

    For anyone interested in further reading on MD5, hashes, and passwords: a white paper from SANS Institute, "The Dangers of Weak Hashes"

    Focusing on weak hashes and weak user passwords however unfairly shifts the focus to the user in this data breach rather than the real culprit: Penton corporate which was likely hacked due to its own gross negligence in applying security patches to its sites (the penton.com site is running WordPress 3.9.1, released over 2 years ago, which contains a 0day exploit and numerous XSS vulnerabilities, and all 5 of their sites, including WHT, that had their databases stolen are running outdated software that contains known vulnerabilities)

  14. #64
    Join Date
    Jan 2006
    Location
    Cincinnati, Ohio
    Posts
    187
    Still no official response from the Owners of WHT. Is the law team on holiday or something?
    Joshua Combs

  15. #65
    Join Date
    Jul 2004
    Location
    Pittsburgh PA
    Posts
    469
    Quote Originally Posted by joshcombs View Post
    Still no official response from the Owners of WHT. Is the law team on holiday or something?
    It's a weekend, most likely out of the office until Monday.
    ▉▊ HostKoi Web Services LLC - Optimized Web Hosting, Reseller, VPS and Dedicated Servers.
    Services World Wide: US, UK, Europe & Asia
    ▊▉ True 24x7 Support

  16. #66
    Join Date
    Oct 2001
    Location
    Ohio
    Posts
    8,535
    Quote Originally Posted by HostKoi View Post
    It's a weekend, most likely out of the office until Monday.
    This is the internet. You're never truly out of the office.

    The lack of immediate notification and response is very concerning.

  17. #67
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,134
    This got posted at 5pm EST on Friday night. As others have mentioned, it's the weekend. Give them time.
    It takes time to investigate these issues, to see where they came from, and what happened.
    Put away the pitchforks and nooses, settle down, sit back and wait for things to be resolved. They will, as they always are.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  18. #68
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771
    Quote Originally Posted by whmcsguru View Post
    Don't blame MD5 here, that's not the issue. The issue is individuals and insecure passwords. Taking a look through the list of available passwords and you'll see precisely what the problem is.
    MD5 is fine. While it's hardly the best method on the planet, it's not really 'easy' to hack. Of course, if you're stupid enough to have said weak password, then you deserve what you've got coming
    Yikes, just wow, did you write that, presumably you're not the programmer working on the modules in your sig? If so I guess we can punt on which WHMCS modules are up for 0days..
    MattF - Since the start..

  19. #69
    Join Date
    Oct 2008
    Location
    J
    Posts
    299
    WHT keep silent but they put notification
    "We've expired all staff passwords. You'll need to re-set your password by using the Lost Password link found on the login page."
    - do it your self.

  20. #70
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771

    Angry

    Quote Originally Posted by sentabi View Post
    WHT keep silent but they put notification
    "We've expired all staff passwords. You'll need to re-set your password by using the Lost Password link found on the login page."
    Where is this notification? If that's the case this is very sad, however seeing how little technical investment WHT has received over the year it doesn't surprise me, heading for a slashdot here...

    It would be trivial for any competent admin to bulk reset passwords forcing the user to do an email password reset next time, then they should upgrade to more secure credential storage with a random salt per each user, and of course disclosure should of happened on Friday and subsequent work to find, understand and fix the attack vector.

    Truely disappointing. .
    MattF - Since the start..

  21. #71
    Quote Originally Posted by sentabi View Post
    WHT keep silent but they put notification
    "We've expired all staff passwords. You'll need to re-set your password by using the Lost Password link found on the login page."
    Where do you see this? I was just able to login using my usual password.

  22. #72
    Quote Originally Posted by zafouhar View Post
    Where do you see this? I was just able to login using my usual password.
    at the top of the page. It's a little announcement notice

  23. #73
    Join Date
    Nov 2014
    Location
    Australia
    Posts
    1,644
    This is concerning.
    No two factor authentication for password changes either. Which is also pretty old.
    CPK Web Services
    Multi Award winning Managed web hosting.
    Find out more. https://www.cpkws.com.au/mhosting.php

  24. #74
    Join Date
    Feb 2002
    Location
    Indiana
    Posts
    422
    Quote Originally Posted by MattF View Post
    Quote Originally Posted by whmcsguru View Post
    Says someone who's never worked behind the scenes in an operation like this before. it's not that easy.

    Every time WHT upgrades, it causes problems. WHT is not your default VB install, it's quite custom, quite hackey, and quite a bit out of the box.

    Don't blame MD5 here, that's not the issue. The issue is individuals and insecure passwords. Taking a look through the list of available passwords and you'll see precisely what the problem is.
    MD5 is fine. While it's hardly the best method on the planet, it's not really 'easy' to hack. Of course, if you're stupid enough to have said weak password, then you deserve what you've got coming
    Yikes, just wow, did you write that, presumably you're not the programmer working on the modules in your sig? If so I guess we can punt on which WHMCS modules are up for 0days..
    Yeah quotes like his gives you real confidence in their work.


    @AnthonyDL doesn't seem this announcement is showing for everyone.

  25. #75
    Join Date
    Feb 2007
    Location
    Isle Of Anglesey, UK
    Posts
    1,468
    Well, at least this time, they did not deface WHT

Page 3 of 8 FirstFirst 123456 ... LastLast

Similar Threads

  1. Very interested on the status of WHT hacked db restore, Any one else?
    By Manageandsupport_com in forum WHT Announcements, Feedback and Questions
    Replies: 16
    Last Post: 04-06-2009, 07:23 PM
  2. US and Canada Telephone Area Code DB for sale!
    By Douglas in forum Other Offers & Requests
    Replies: 2
    Last Post: 06-09-2006, 02:27 PM
  3. site + large DB for sale with some traffic + others
    By DNGeeks in forum Other Offers & Requests
    Replies: 7
    Last Post: 10-15-2004, 10:29 AM
  4. 30+ Domains for sale - Discounts for WHT users
    By deepensky90 in forum Other Offers & Requests
    Replies: 9
    Last Post: 05-26-2003, 08:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •