Ran's Board Hack

Sep 10, 2011 14:34

How is it possible for someone to gain access to every password on a message board?

Leave a comment

Comments 7

ildrinn September 10 2011, 19:46:07 UTC
Not that I know any of the details of what's happened, but resetting all passwords is not the same as stealing all passwords. The latter involves gaining access to information, the former is just wiping and replacing it, which does not require any sight of what was wiped. In the circumstances, the most a hacker would be able to do with this is make some posts under someone else's name by logging in with the new password. If there even is a hacker and it's not just a server glitch.

Reply


rockstarwookie September 10 2011, 23:22:57 UTC
Usual practice is that all passwords are stored in the same place - a file or a database table (which is probably a single file). Storing them in different places wouldn't be any more secure, because there has to be a deterministic way to find the passwords (because the login process has to be able to read the passwords to check that the password you login with is correct).

On the upside, good practice is that passwords aren't stored in their original form, but are sort of encrypted in a way, so that it's very difficult to determine the original password from what's stored in the file/database.

Very difficult, but not impossible. This is probably why the board maintainers have asked people to change their passwords - just as a precaution.

This is one reason why security experts recommend that you do not use the same password for every login. If one of them is compromised, the attacker will have your password for everything you use it for.

Reply

serscot September 12 2011, 10:37:42 UTC
So, encryption is not a guarantee of safety? You can create a program that might make a lucky guess of the keycode and decrypt the information over time?

Reply

rockstarwookie September 12 2011, 12:30:11 UTC
There are two questions in there ( ... )

Reply

rockstarwookie September 12 2011, 12:34:51 UTC
All of this is the technicalities of security, but what you should bear in mind in all of this is what I said earlier about your control - as a user - over a service's security processes. You don't really have any ( ... )

Reply


Leave a comment

Up