Ubuntu Forum Security Breach - Slashdot

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

×

Ubuntu Forum Security Breach 108

Posted by samzenpus on Wednesday July 24, 2013 @09:00PM from the protect-ya-neck dept.

pinkstuff writes "There has been a major security breach of the Ubuntu Forums database. Every user's email address and salted password has been taken. From the forum home page: Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text, they are stored as salted hashes. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP. Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach."

This discussion has been archived. No new comments can be posted.

Ubuntu Forum Security Breach

Search 108 Comments Log In/Create an Account

Comments Filter:

The hashes are salted (Score:3, Interesting)

by Dwedit ( 232252 ) writes: on Wednesday July 24, 2013 @09:37PM (#44376767) Homepage

The hashes are salted. Who cares about a breach with salted hashes?

Share
twitter facebook
Re:The hashes are salted (Score:2, Interesting)

by TWX ( 665546 ) writes: on Wednesday July 24, 2013 @09:41PM (#44376809)

That's what I'm wondering, given that's the whole point in using that method to store credentials in the first place...

I also have to question the practicality of having different passwords for all one's accounts, especially on things as nonessential as forums. Between work and things that matter I already have to remember too many passwords.

Parent Share
twitter facebook
Re:The hashes are salted (Score:5, Interesting)

by fluffy99 ( 870997 ) writes: on Wednesday July 24, 2013 @09:44PM (#44376829)

The hashes are salted. Who cares about a breach with salted hashes?
If they aren't sure of the extent of the compromise, reading salted hashes (assuming they were) might only be part of the problem. Could be they were intercepting passwords on the fly.

Parent Share
twitter facebook
Re:The hashes are salted (BUT NOT PROPERLY) (Score:5, Interesting)

by Rockoon ( 1252108 ) writes: on Wednesday July 24, 2013 @10:23PM (#44377147)

How do you reverse an MD5 hash if it is not?
You try all possible inputs at a rate of 180 billion combinations per second. [arstechnica.com]

For an 8 character alphanumeric with a few symbols, thats about 48 bits of entropy, which equates to 1564 seconds (26 minutes) to try every single possible input. Since you used a 128-bit hash on 48 bits of entropy, the odds are very very very good that only one single input will result in the stored MD5 hash.

Thus the attack knows precisely what the original password was in only 26 minutes, which fits the definition of "reversing" the hash in no more than 26 minutes.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

503 commentsHarvard, MIT and UPenn's Presidents Should 'Resign in Disgrace', Bill Ackman Says
453 commentsEra of Global Boiling Has Arrived, UN Chief Says
417 commentsOceanGate Says All Five Titan Passengers Have Died
414 commentsJudge Blocks US Officials From Tech Contacts in First Amendment Case
404 commentsIs Gen Z Giving Up on College?

"Ninety percent of baseball is half mental." -- Yogi Berra