BOB: Business Objects Board
Not endorsed by or affiliated with SAP

Register | Login 

Follow BOB on Twitter! 
Follow BOB on Twitter! (Opens a new window)  

General Notice: No events within the next 45 days.

Public Service Announcement: Password Security


 
Search this topic... | Search About BOB... | Search Box
Register or Login to Post    Forum Index -> About BOB  Previous TopicPrint TopicNext Topic
Author Message
Bob
Site Administrator
Site Administrator



Joined: 06 Jun 2002

Posts: 1337
Location: I Live Here



PostPosted: Fri Feb 13, 2009 9:49 am 
Post subject: Public Service Announcement: Password Security

Hi, you may or may not know (or care) that BOB is run using software from the phpBB Group. Recently their web site (phpbb.com) was hacked due to an exploit in a different software package, and their entire user database was downloaded and posted on the Internet. How does this affect you?

Well in one sense it doesn't. We're not running the other package that was the source of the security hole here. In fact, we're not running anything but phpbb2. The version we're running is up to date. However, the reason phpbb.com was hacked was the exploit was discovered and used before it was announced, which is called a "zero day" exploit because the team had zero days to prepare and fix their server.

At the same time this was going on, another site running phpbb2 (and a few other things) was also hacked by some unknown vector. The site remains offline while investigations continue. The attacker was once again (once they uploaded their backdoor / toolkit to the server) able to get into the database and do whatever they wanted. Ultimately the dropped the entire thing.

While the chances are slim, that could happen to us. So what does this mean?

From a server perspective, we have code backups that were taken prior to and after the last code upgrade. We have backups downloaded to an off-site RAID array every night. In that sense the maximum exposure we have (assuming we can find and close the hole used by the attacker quickly) is 24 hours of activity.

What about you and your information?

phpBB2 uses the md5() hashing algorithm to store passwords. The passwords are hashed rather than encrypted, which is significant in that hashes are one-way functions while encryption is a two-way function. Encryption is meant to be reversed. Hashing is not. But people are quite fond of passwords and often use the same one on more than one site. People are also less creative when it comes to remembering passwords; it's much easier to remember that "Fluffy" was the name of your first pet than remember that weird password like "x&!34w09*la?" instead. Yet "Fluffy" is what is called a dictionary word and there are tables on the Internet that allow an attacker to take a password hash and match it against all known dictionary words and try to find a match. Once they find a match, they can do a reverse-lookup and figure out your password.

We are investigating an upgrade to our password hashing algorithm. However, while that process is underway, we strongly encourage you to do several things.

First, and most important, do not use a password on BOB that you use anywhere else. Every site you visit on the web should have a unique password. That way if a database (ours or someone else's) is compromised, it's only that site information that is at risk.

Second, if you are using a "Fluffy" style password, please consider changing it right away. Even a mix of upper and lower case letters like "FlUfFy" makes the password much harder to match. Adding just one special symbol "fluffy!" also affects the hash and makes the password harder to reveal.

Third, consider using a throw-away email address for joining online sites like BOB. Many of you use your work email addresses and that's certainly fine. However, if the BOB user database is ever exposed, that will almost certainly result in your email address being added to many spammer databases. It might be easier to switch to something like a yahoo or hotmail account. It would be even better if the email address was only used for BOB, so if it's every compromised you can simply drop it and move on to the next option. If you own a web domain, you quite frequently can set up "unlimited" email addresses. Setting up something like bob@example.com would allow you to have an email address unique to this site that you can throw away.

Last, be very careful about posting anything private on the web. One of the topics in a private forum at phpbb.com included personal phone numbers of various team members. That topic was ultimately posted in public. One of the strongest lessons about Internet use that I remember comes from the email signature of the founder of the BUSOB-L mailling list. He wrote it over ten years ago, and it's still as appropriate today.
Quote:
Treat anything you write on the Internet as public. Because it could be.

There are nasty people out there, be careful, and be safe. Thanks.

_________________
It is not enough for a handful of experts to attempt the solution of a problem, to solve it and then to apply it. The restriction of knowledge to an elite group destroys the spirit of society and leads to its intellectual impoverishment.
-- Albert Einstein
Back to top
Nick Daniels
Forum Aficionado
Forum Aficionado



Joined: 15 Aug 2002

Posts: 14236
Location: England


flag
PostPosted: Fri Feb 13, 2009 1:45 pm 
Post subject: Re: Public Service Announcement: Password Security

It is worth mentioning that a small minority of people use an email address as their username. I've just seen one today and its not a good idea!
Back to top
Dave Rathbun
Forum Advocate
Forum Advocate



Joined: 06 Jun 2002

speaker.gif*16
Posts: 22138
Location: Dallas, Texas


flag
PostPosted: Fri Feb 13, 2009 2:08 pm 
Post subject: Re: Public Service Announcement: Password Security

Nick, there are different schools of thought on that. I don't envision creating a rule that says you cannot use an email address for a username because often that's the only thing a person has that they can remember that is also unique.

But you should never use an email address or username as part of your password. icon_smile.gif

_________________
Dave's Adventures in Business Intelligence Image link

Latest Blog Posts
• 2019-09-19 Stephen Few Blog Post on Multivariate Visualization
• 2019-02-11 Update on Query Banding
• 2018-10-19 BI Evolution
Back to top
Mitra Moini
Forum Associate
Forum Associate



Joined: 31 Aug 2002

speaker.gif
Posts: 717
Location: In front of my laptop!



PostPosted: Tue Feb 17, 2009 5:57 pm 
Post subject: Re: Public Service Announcement: Password Security

Thanks for letting us know Dave.

Mitra
Back to top
Jansi
Forum Fanatic
Forum Fanatic



Joined: 12 May 2008
ASUG Icon
Posts: 6577


flag
PostPosted: Wed Feb 18, 2009 1:08 am 
Post subject: Re: Public Service Announcement: Password Security

Done and thanks!
_________________
Search is your friend.
I can do all things through Christ who strengthens me. Philippians 4 : 13
God is your protective shade! Wanna read about Your protective shade?!
Back to top
Display posts from previous:   
Register or Login to Post    Forum Index -> About BOB  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT - 5 Hours
 
Jump to:  

Index | About | FAQ | RAG | Privacy | Search |  Register |  Login 

Get community updates via Twitter:

Not endorsed by or affiliated with SAP
Powered by phpBB © phpBB Group
Generated in 0.0328 seconds using 17 queries. (SQL 0.0031 Parse 0.0009 Other 0.0287)
CCBot/2.0 (https://commoncrawl.org/faq/)
Hosted by ForumTopics.com | Terms of Service
phpBB Customizations by the phpBBDoctor.com
Shameless plug for MomentsOfLight.com Moments of Light Logo