Author Topic: [Please read] Changes to Password Security (Read 4168 times)

Omega · « **on:** 28 July 2013, 16:12:07 »

Security changes

What we're doing

The MegaGlest forum respects the security of its users. In an attempt to further improve the security of your account, we are changing the way passwords currently work. The main reason we are doing this is because previous password requirements used very basic validation. We've since applied our own validation, ensuring that passwords meet a specific complexity. This helps ensure the password is more resistant to brute force attempts and prevent password reuse.

However, in order for this change to be of any use, it has to be applied to all accounts. To do that, we had to reset all passwords. This means that you cannot login until you change your password. You can change your password on this page, where you must enter either your username or email address and a password reset will be sent to your email address. If you encounter any difficulties, please contact us at forum-migration-2013[at] megaglest.org.

There is a three month deadline (28 October 2013) to update your account, after which time inactive accounts will be removed.

Why did you do this?

A secure password is important not only to keep malicious users from accessing your account, but also because a large number of users are reusing passwords on more valuable accounts, such as for their email or paypal. By reusing passwords, even an inconsequential site becomes a security risk, and with access to your email, a malicious user can generally access any other account you've created online, spam your address book, or uncover personal information.

Can I opt out?

Yes. If you are not happy with the forum migration, our changes to account security, or no longer desire an account on the MegaGlest Forum, you can request to delete your account on your profile page (this requires you to login first, to confirm you own the account).

What kind of password should I be using?

The new password requirements don't measure a specific length, but rather a specific complexity. In other words, instead of a long password, you could use a mixture of different character types. A six character lowercase password has 308,915,776 different combinations. But with lowercase and uppercase characters, there are 19,770,609,600 different combinations, an increase of nearly 64 times! As you can expect, adding symbols, numbers, and unicode characters increase the number of combinations even further.

So in addition to a long password, consider using a mixture of character types. Alternatively, you could use passwords that are extremely long, as demonstrated in this comic. The technique doesn't matter, the end goal is the same: preventing your password from being brute forced in a reasonable time. So in summation: long passwords or a mixture of character types are the way to go.

We recommend using a password manager such as KeePass or LastPass. Password managers allow you to use strong, unique passwords on all sites while only needing to remember a single master password.

If you have JavaScript enabled, the change password screen will have a bar at the bottom which will estimate the strength of your password.

FAQ

What's stopping people from changing their password to the same password they were using before?

Nothing. If you were using a secure password previously, you're welcome to continue doing so. There's no way to find out how secure everyone's passwords' are, so it was necessary that we reset everyone's. The only requirement is that your password is at least reasonably secure.

This doesn't stop people from reusing passwords!

No, it does not, and we have no way to enforce that. The best we can do is bring it to people's attention. At least they can't say we didn't try.

Can I use unicode in my password?

Yes, our password system supports unicode characters. In fact, a unicode password of a reasonable length (excluding ASCII characters) is nearly impossible to brute force, due to the massive number of characters. However, typing unicode characters can be difficult. We recommend you do not use characters which you cannot easily type.

What's stopping us from using a password like "aaaaaaaaaaaaaaaaaaaaaa"?

Such a password would be a terrible choice, since it's not necessarily any easier to remember than a chain of four words (since you have to remember the number of "a"s). Irregardless, our improved system catches repeated characters and will not allow such a password. Similarly, series of characters (like 1234567890) are prohibited by the password system.

I don't like this!

We're sorry you feel that way. This change is not intended to be an inconvenience to our users, but rather a measure of making sure that your accounts (both here and on other websites) are as secure as possible.

Omega · « **Reply #1 on:** 28 July 2013, 17:37:14 »

Want more info about choosing secure passwords? This article may be of interest.

Also, if you don't like that ribbon in the top right hand corner, you can remove it by going to Profile > Modify Profile > Look and Layout and click the "change" link next to the current theme. You can then choose to use "Glest Theme Version 3.9.3", which is the previous version, without the ribbon.

Just how secure is a password?

First of all, we must understand how passwords are stored. This forum uses the SHA-1 algorithm for hashing passwords. A hashing algorithm turns a string of characters (such as a password) into a longer, nearly unique string of letters, which is what we store in our database. For example, the hash of the word "MegaGlest" is 26e2af41a5dc19ccf45136ad31782134bec5e798. This string of seemingly random numbers can be produced only be passing the word "MegaGlest" into the SHA-1 algorithm. In theory, it's possible that there's another word that creates the same hash, but it would be extremely unlikely (it's theorized at about 1 in 2⁶⁰, but hasn't been actually done yet).

Instead of storing your password, we store this hash. So if a hacker gets into our database, they don't have your actual password, but a hash of it. The only known way to find the actual password is to find the word that makes the same hash. To make this easier, password crackers would often use something called "rainbow tables", which are essentially large tables of text and its corresponding hash. To make it much harder to use rainbow tables, we use something called a salt. This is a random string of characters that we append to the password when hashing. So if our password as "MegaGlest" and the random salt was "hg1a41", then the text we actually hashed will be "hg1a41MegaGlest". Thus, the plain text is much larger and it's too time consuming to create rainbow tables for very large password and salt combinations.

However, it's usually pretty easy to find out what the salt is, especially in open source projects like Simple Machines Forum. But the purpose of the salt isn't to be hidden away, but rather to ensure that the hacker must brute force the password. Brute forcing means to try hashing every possible combination of characters until he finds a match. But if the password is long, finding a match could take a very, very long time.

For a sample user running a 3.4GHz Intel Core i7-2600K processor, an eight character password with a mixture of uppercase, lowercase, and numbers could take about a year to calculate all possible hashes. If we used ten characters, it would take over 4000 years to calculate all the hashes. As you can see, the point isn't to make it impossible to brute force passwords, but to ensure it takes so long it's no longer feasible.

Here's some more numbers, for scale:

Character set	Password length	Time to try all combinations
Lowercase	6	45 seconds
Lowercase	7	19 minutes 35 seconds
Lowercase	8	8 hours 29 minutes 18 seconds
Lowercase	9	9 days 4 hours 42 minutes 4 seconds
Lowercase	10	239 days 2 hours 13 minutes 50 seconds
Lowercase	11	17 years 7 days 7 hours 10 minutes 49 seconds
Uppercase lowercase	6	47 minutes 16 seconds
Uppercase lowercase	7	1 days 16 hours 58 minutes 12 seconds
Uppercase lowercase	8	88 days 18 hours 26 minutes 55 seconds
Uppercase lowercase	9	12 years 233 days 1 hours 35 minutes 2 seconds
Uppercase lowercase numbers	6	2 hours 15 minutes 23 seconds
Uppercase lowercase numbers	7	5 days 19 hours 53 minutes 56 seconds
Uppercase lowercase numbers	8	361 days 9 hours 44 minutes 35 seconds
Uppercase lowercase numbers	9	61 years 127 days 9 hours 29 minutes 30 seconds
Uppercase lowercase numbers symbols	6	1 days 3 hours 15 minutes 12 seconds
Uppercase lowercase numbers symbols	7	106 days 17 hours 50 minutes 4 seconds
Uppercase lowercase numbers symbols	8	27 years 172 days 7 hours 29 minutes 40 seconds

^{Source: http://calc.opensecurityresearch.com/}

This is running a regular computer, which can generate several thousand hashes every second. A super computer could crack passwords much, much faster. For example, this computer could do over 7000 hashes per second with the SHA-1 algorithm. It would take over 27 years to try all 8 character password with all cases, numbers, and symbols. On the other hand, if you could try a billion combinations a second, you could do this in about 77 days. Of course, it does beg the question as to who has the resources to do this...

A note that the above table is time to try all combinations. That means for a totally random password (password managers are your friend for those), you could expect a median time of half of the listed times. Also bear in mind that computers get better and better over time, which will result in faster brute forcing. As well, if your password is a dictionary word, a dictionary attack (which tries words instead of all possible characters) could crack your password in mere seconds.

TL;DR: Longer passwords are better.

tomreyn · « **Reply #2 on:** 29 July 2013, 00:07:37 »

One minor correction there: the passwords SMF stores in the database use the username as a salt, not the value stored in the "password_salt" column. The latter is used by the client when creating the hash it stores in the "megaglest" cookie (which is used to re-authenticate a client after session timeout or similar).

will · « **Reply #3 on:** 29 July 2013, 15:27:14 »

> We're sorry you feel that way. This change is not intended to be an inconvenience to our users, but rather a measure of making sure that your accounts (both here and on other websites) are as secure as possible.

If its worth doing you might as well do it properly.

1) NEVER EVER USE THE USERNAME AS A SALT

2) WHAT HASH ARE YOU USING?

Sometimes shouting is justified. This is one of those times.

You must use bcrypt or scrypt or PBKDF2. The implementation - you should use a standard library for this - should use a random salt and a sensibly high work-factor. Usually this is all serialised into the password field itself. In PHP, the password_hash function can take a PASSWORD_BCRYPT parameter, for example, and does all this automatically.

I just googled SMF password hashing and the forum threads - including those with the coders involved - are very scarily ignorant. Someone should wack them with a cluestick.

Omega · « **Reply #4 on:** 29 July 2013, 18:30:26 »

Quote from: will on 29 July 2013, 15:27:14

1) NEVER EVER USE THE USERNAME AS A SALT

2) WHAT HASH ARE YOU USING?

Yes, I'm aware of the terrible choice of a salt and hashing algorithm. I would have personally preferred bcrypt, myself, but please note that the method used was set by the creators of SMF. I'm under the impression they chose it to accommodate those who insist on using outdated versions of PHP.

Bcrypt in PHP 5.5+ is easy to use, but I'm not entirely keen on trying to implement bcrypt over the current mess.

But, yeah, bcrypt is a fantastic choice. It defaultly uses a random salt. Using the username isn't *too* bad, because we can assume that the hacker will know the salt no matter what, although it would also allow hackers to generate rainbow tables for a username ahead of time. With a very secure password, that won't help, since it could take thousands of years for current computers to generate all the hashes needed (and hard drive space galore). However, few people use passwords *that* secure, and a random salt would still be *more* secure.

But bcrypt's best feature is the usage of a "cost" variable. Increasing that exponentially increases the time it takes to calculate the hash. That makes it possible to keep up with advancements in computing. SHA-1's flaw is that it's too fast: that doesn't matter much for us and is very, very good for password crackers.

However, in a quick look, I can't even figure out how SMF does their hashing. They don't appear to be using the password_hash() function.

tomreyn · « **Reply #5 on:** 30 July 2013, 13:45:00 »

As it stands, SMF doesn't even have an easy / documented way for forcing a site-wide password reset (that's when you don't want to send pre-generated passwords by e-mail which is possible with an add-on script - but that's last millenniums security practice), which I assume is also why they chose not to run a site-wide password reset (other than strongly recommending users to do themselves it in an announcement e-mail) after a recent full database compromise. There's also no way (that I'm aware of) to tell when a user has last changed their password.

I recently had a related discussion on the password hashing mechanism with some SMF people on this thread and during some back and forth and back again and again on their recent security breach announcement.

Using the username as a salt is not the brightest idea, but getting away from this will be a bit tough, we'd have to start maintaining a set of patches (for this and the several other issues) which I don't know we have the resources for. So my hope is really for SMF to get better in this respect.

D.U.P.A. · « **Reply #6 on:** 30 July 2013, 18:00:28 »

Oh come on. This is not a forum where big monies are circulating. If an account gets hacked, it will not be an end of the world for the user, in the worst case scenario he needs to redo it. Even if it is very easy to find out the password, what are the chances, they will chose YOUR account, if even they find out this SITE. And even after that, they would need to find your valuable accounts (paypal, steam, email). This is just random forum. I understand people who are more important on this forum will protect their account, but for random users, there is no need for exaggerated security. To protect against brute force there could be limit of incorrect logins and after that user cannot login for about 15 minutes. Enough to keep most of hackers at bay.

Also account deactivation for 3 months is too short, many leave to later rejoin, I came back here after almost a year.

Omega · « **Reply #7 on:** 30 July 2013, 18:40:41 »

Quote from: D.U.P.A. on 30 July 2013, 18:00:28

Oh come on. This is not a forum where big monies are circulating. If an account gets hacked, it will not be an end of the world for the user, in the worst case scenario he needs to redo it. Even if it is very easy to find out the password, what are the chances, they will chose YOUR account, if even they find out this SITE. And even after that, they would need to find your valuable accounts (paypal, steam, email). This is just random forum. I understand people who are more important on this forum will protect their account, but for random users, there is no need for exaggerated security.

I think you misunderstand. We already have methods to prevent attempts to brute force into accounts on our site. That's not what this change is hoping to protect against. Rather, this is largely focused against password reuse. Too many people reuse passwords on other sites (including banking and email). If you used the same password here as your gmail account, it's practically a given that a hacker would be able to link the two together. That's the main reason small sites are hacked: to get passwords that can be used on larger sites.

The SMF official forum was "hacked" about a week ago, because some admin reused his or her password on some other site, which had its database stolen.

Quote from: D.U.P.A. on 30 July 2013, 18:00:28

Also account deactivation for 3 months is too short, many leave to later rejoin, I came back here after almost a year.

That may be true, but at the same time, three months is a long while, and users merely have to change their password to keep their account activated indefinitely. Even if their account is deleted, they can recreate accounts easily enough (and there's a fair chance that after more than three months, they wouldn't remember their password, anyway). Finally, we will not be removing accounts with a large number of posts, so it will most likely be a large number of spam accounts and single-post accounts which end up being deleted. The kind of accounts that are unlikely to return to the forum if they don't respond to the email.

tomreyn · « **Reply #8 on:** 6 August 2013, 02:40:51 »

As a status update, 240 people have reactivated their accounts (and set a new password) so far.

That's just a fraction of the total amount of registered users, but we can safely assume that a majority of registrations were carried out by spammers, so I guess this doesn't matter much.

By the way, in case you're having trouble with password resets, and sending e-mail to the e-mail address given in the notification does not work for some reason, please also try to get in touch on IRC at http://chat.megaglest.org

News: