GOMTV.net compromised - Page 15
Forum Index > SC2 General |
Voltaire
United States1485 Posts
| ||
nonsence
United States57 Posts
On August 13 2011 05:17 R1CH wrote: Not if you balance the iterations properly. A few hundred ms extra on the login isn't noticeable by most people and is plenty enough to defeat brute force attacks. COOL, i hadn't heard of bcrypt, I just finished integrating a java version into my software Thanks TL | ||
DiamondTear
Finland165 Posts
| ||
slicknav
1409 Posts
| ||
Multis
Finland21 Posts
| ||
EndOfTime88
Austria259 Posts
On August 13 2011 05:51 DiamondTear wrote: Changed GOM password, got not confirmation email (hotmail), can't log in. I'm having the same problem right now. | ||
FallDownMarigold
United States3710 Posts
On August 13 2011 05:39 vyyye wrote: And I thought Login : Password was the dumbest login/pass combo, holy shit. It's all good now, I just changed my account name to my home address and my password to my bank routing number. | ||
thee telescopes
321 Posts
On August 13 2011 05:51 slicknav wrote: this should really be put on the front page of TL somewhere. This is kinda serious if personal information has been compromised. Kinda annoying that there's nothing on Gom's site about this. | ||
nooboon
2602 Posts
| ||
CardG
France131 Posts
Same. | ||
Badboyrune
Sweden2247 Posts
On August 13 2011 05:41 R1CH wrote: Most systems store the algorithm and settings with the password hash and salt. For example, if your password hash is $2a$10$WyJ.NSYEmLixexXspQyoEOVYGK55cDjQd2cZedBN4t9.., the 2a identifies the algorithm (blowfish) and the 10 identifies the iterations (2^10). So if suddenly PCs become 100x faster I can just increase the 10 in our config and all new passwords become more secure, and old passwords are upgraded on successful logon. I think this is the point where Hot_Bid posts: I don’t understand the check_password function, why don’t you compare with the stored hash in the BBDD? Something like this: function check_password(password, nickname) { //get user from nickname user = User.objects.get(nickname=nickname) return user.hash_stored == hash(password) Btw in your function check_password I suppose that in order to calculate again the hash I’d have to do it with the cost parameter, something like this: // this will be used to compare a password against a hash public static function check_password($hash, $password) { $new_hash = hash($password); return ($hash == $new_hash); | ||
Integra
Sweden5626 Posts
On August 13 2011 03:14 R1CH wrote: There's a post on reddit that suggests that GOMTV has been compromised. I have independently verified that at least some usernames, passwords and email addresses have been compromised. There appears to be zero security on the passwords as they were stored in plain text (really GOM?). This means if you use your GomTV password anywhere else, you should change it and consider it compromised. To clarify, your GomTV.net username, email address, PayPal real name and your GomTV.net password are likely compromised. Personal information such as your address may be compromised too if it was stored. You should also change your GomTV password to prevent unauthorized account access, although the exploit through which the information was compromised may still exist. Since payments are processed through PayPal, there is no risk of your financial information being compromised, unless you used your PayPal password when signing up for GomTV (don't do this). Users who logged in via SNS should be safe as Twitter / Facebook authentication is token based, not password based. If you aren't already, you should really use unique passwords for each website since this happens more often than you think (ever hear someone say they were "hacked"? this is likely how it happens) and not all websites will disclose if they get compromised. Use http://keepass.info/ for password management. R1CH, from what I can deduct they simply used a SQL Injection to list all the data, if it's that simple then why does it matter if we change the password, they will still get it, you could change it a million times. | ||
Eleaven
772 Posts
| ||
SilentShout
686 Posts
| ||
Toons
Australia136 Posts
Change your pass to something completely obscure until they figure it out | ||
strexer
United States54 Posts
| ||
TOCHMY
Sweden1692 Posts
| ||
ma70
253 Posts
| ||
Soulish
Canada1403 Posts
Being stored in plain text doesn't mean they arent encrypted | ||
nOondn
564 Posts
| ||
| ||