Forum Security

With breach after breach being plastered all over the media these days, I got to wondering about the security measures being taken by those running these forums. Should someone succeed in compromising the forums here and dumping the user info from the DB, will we all find out our passwords were stored in unsalted MD5 hashes?

Ubuntu got hit, no reason to assume FreeBSD isn't in someone's crosshairs.
 
I have no clue what password I use here, as I'm using a randomly generated password kept in a password store, and I never look at the actual password. More people should do this...
 
Savagedlight said:
I have no clue what password I use here, as I'm using a randomly generated password kept in a password store, and I never look at the actual password. More people should do this...

Yup, this is the way to do it.

I highly recommend KeePass. Cross platform, open source, etc.

This way:
  • You don't need to remember passwords
  • A breach of one site doesn't compromise any other logins you have.

You will however need to remember a secure passphrase for your encrypted KeePass database, and also a password for you to log into a non-privileged account on your machine, to run KeePass (make these different!).

Every other one of my passwords is fully random, and I don't even know what they are.

Switching to this regime is actually quite liberating, so many credentials I no longer have to keep in my head.

If you're worried about lock-in, you can export the data out of KeePass to CSV if you ever need to switch to something else.
 
TiberiusDuval said:
Does KeePass run on FreeBSD? Or is there other similar applications for FreeBSD?

Quoted from KeePass wikipage:
KeePassX, a multi-platform open-source KeePass clone for Linux and OS X, built using version 4.3 of the Qt libraries. As of October 2011, databases created by KeePassX 0.4.3 are binary-compatible with databases created by KeePass, with support for the Keepass 2.x database format implemented in a new alpha release in May 2012

It's available in the FreeBSD ports tree: security/keepassx :)
 
TiberiusDuval said:
Does KeePass run on FreeBSD?
Code:
[CMD=%]cd /usr/ports[/CMD]
[CMD=%]make search name=keepass[/CMD]
Port:	KeePassX-0.4.3_1
Path:	/usr/ports/security/keepassx
Info:	Cross Platform Password Manager
[snip rest of output]
 
fonz said:
Code:
[CMD=%]cd /usr/ports[/CMD]
[CMD=%]make search name=keepass[/CMD]
Port:	KeePassX-0.4.3_1
Path:	/usr/ports/security/keepassx
Info:	Cross Platform Password Manager
[snip rest of output]

My fault, I did not check the ports tree first. It compiled and installed cleanly, very many thanks for you and the previous poster. The question arised due to a quick look at the Keepass site where there was not any mention of a FreeBSD version.
 
wblock@ said:
if you are using the same password here as elsewhere, stop that.
And what kind of information does anyone store on a forum such as this that one wouldn't want getting out? Perhaps a personal email address but there's lots of protection against that, too, but what else would one put here?

Even then, if someone wanted to get in here so bad, well, why? To scribble around on stuff? Such is the insanity of kids and idiots.
 
drhowarddrfine said:
Such is the insanity of kids and idiots.
idiots-idiots-everywhere.jpg
 
drhowarddrfine said:
And what kind of information does anyone store on a forum such as this that one wouldn't want getting out? Perhaps a personal email address but there's lots of protection against that, too, but what else would one put here?

Even then, if someone wanted to get in here so bad, well, why? To scribble around on stuff? Such is the insanity of kids and idiots.

It's more to do with someone (maybe even an admin here - do you know/trust them personally? Not having a swipe at the admins, but just to illustrate the point) obtaining your credentials from here and then testing them against other services you may use.

The most common user SNAFU is to sign up for an Internet site with their email address as their login, and use the same password they use for logging into that email address (mental connection is "this email has this password").

If this is the case (it is scarily common) if an attacker has a list of email addresses and password hashes that he can decrypt, he just logs into their email account and attempts a bunch of password reset emails for other services (e.g., typical user may use the email for an Apple or Google login or various other online stores), harvests the results, and hijacks the other accounts.

He may also even be able to harvest credit card numbers, as various sites may blank out different parts of the number and if there are multiple receipts in the user's email he can perhaps piece them together.
 
drhowarddrfine said:
And what kind of information does anyone store on a forum such as this that one wouldn't want getting out? Perhaps a personal email address but there's lots of protection against that, too, but what else would one put here?

Even then, if someone wanted to get in here so bad, well, why? To scribble around on stuff? Such is the insanity of kids and idiots.

You'd be surprised how much havoc someone could do with stolen credentials, especially if it goes unnoticed. They'd be able to interact with people as you, for wherever those credentials are valid.
 
Just more on Keepass - there are clients available for iOS and Android as well, so you can set up sync via DropBox (the database is encrypted so it should be safe even if your database is stolen) and have your secure credentials available with you at all times.
 
throAU said:
obtaining your credentials from here and then testing them against other services you may use.
And other stupid things users may do but you can't protect a forum or user against such things and I don't feel it is the responsibility of any forum to do so.
 
drhowarddrfine said:
And other stupid things users may do but you can't protect a forum or user against such things and I don't feel it is the responsibility of any forum to do so.

Of course.

Hence the suggestion that if you are using the same password here as elsewhere: don't.
 
Back
Top