A question for Bill Jelen

[J.Ty.]

What I can not understand, is that the password change page is still not encrypted.

Initially the perpetrator had only encrypted passwords. But anyone who changes the password now to protect him/herself, sends the new one as open text over internet. So if the perpetrator has means to filter the MrExcel network traffic, he can easily collect all new passwords, this time in a form ready to use. In a sense, the call to change passwords is the best that the perpetrator could have expected.

J.Ty.

 

[Andrew Fergus]

I view the dissemination of birth dates as being potentially *very* risky for users....hence the use of a fake birth date for interest sites that require it, other than banking websites. I think we collectively suffer from "password paranoia" and for those that use password managers, quis custodiet ipsos custodes?

As for for banking sites, those should use customer ID as a login, not an e-mail address and unless there is an ability to link the 2 somehow, then there should be nothing to be worried about. As for other non-financial and non-email sites, as mentioned above, who cares?

I did a quick check on the site recommended by Bill Jelen; another site that uses vBulletin was also compromised and my details were leaked there too. But I stand by my earlier post that without verification they guessed the correct password (being 1 in a trillion combinations or more) then that information is useless to them, short of being sold to a spammer.

 

[Corton Flyer]

I have received an identical email and I have also changed my password directly through Mr Excel and NOT via the email link. Er, yes, who is Bill Jelen?

 

[AliGW]

Read the entire thread and you will find out who Bill Jelen is.

 

[Andrew Fergus]

Er, yes, who is Bill Jelen?

He is MISTER Excel to you.....

http://www.mrexcel.com/meetmrexcel.shtml

 

[AkaTrouble]

I have had no attempts to login to any of my accounts on other sites (that i am aware off)

I have however received a lot more spam emails recently so it is possible the email list may have been distributed to spammers

if they are spamming just mark the email as such in your email client and those email addresses soon get blocked by email providers.

mrexcel.com provides an excellent forum with great people and expertise on the sites topic, can't expect them on a free site to provide the back-room IT professionals that also fail to protect mega money sites and government's from attacks.

thanks for letting us know as soon as you knew and giving us the information to enable us to take whatever action we feel needed. hopefully one lesson to come from it will be to use different passwords (and maybe Email address) for personal and public sites.

 

[MrExcel]

Hello all. Andrew Fergus - your question is really good. I am supposed to chat with security MVP Troy Hunt (from HIBP) later this week and I am going to ask that question. With the LinkedIn hack, reading Troy's article, he made it sound like once they discovered a pattern to the hash, they were able to break multiple passwords at once. https://www.troyhunt.com/data-breaches-vbulletin-and-weak/

As I learn more, I will keep this page updated: Details of Data Breach at MrExcel.com – MREXCEL

Bill

 

[FDibbins]

Not sure if this is related, but I started getting a bunch of emails from legitimate?? places that I have never dealt with

 

[Kyle123]

As Bill stated a fast computer could create billions of passwords to try and guess the password - but to confirm the password is correct that could only be achieved by successfully logging in to this site...is that right? I'm guessing (as Bill said) that most people use the same password for most sites. So this sounds serious. But, if the perpetrator has not yet got into your personal MrExcel account, is it safe to then assume that other sites with the same e-mail/password combination are currently safe? I know that sounds like slack security on my part, but a password generator can easily generate the combinations, but it would be more time consuming to find the one that actually works? In the meantime accounts could/should be locked if multiple unsuccessful attempts, or a delay introduced to frustrate the perpetrator with an exponential time delay. Unless each and every account used the identical hash+salt combination (unlikely) then simply changing the MrExcel password NOW, before the perpetrator confirms your personal password, should be enough....is that correct? I know this sounds slack or potentially dangerous on my part but I'm guessing we are safer than we think once we change this password.

No, it's not correct. Since the hacker knows the hashing algorithm all he must do is hash the guessed password, if it matches the hash in the data dump he has then he knows your password - there's no need to log into the site, it's that simple.

It is however a game of diminishing returns, the easier passwords will be cracked very easily and the harder ones will take much longer so it's in your best interest to use a password manager; it means that your password may not ever actually be cracked, and if it is it's useless since it's only used on one site. The purpose of these attacks is to get the low hanging fruit, you could bet your bottom dollar that the same people with easy passwords to crack are the same ones who are using that password on multiple sites - these are what hackers are after.

For an interesting read, have a look here: https://www.troyhunt.com/data-breaches-vbulletin-and-weak/ the security researcher takes a vBulletin data dump of 1.2M records and cracks 60% of the passwords in under a day (that's 3 billion guesses a second on ageing hardware that's likely less powerful than a hacker would use).

The message is simple, assume your password has been cracked, change it, change it anywhere else you use it. Change it to something hard to guess (so they give up on cracking it when they've got the easy ones) and make it unique for each site, that way if they get it, they can't get in anywhere else.

 

[Kyle123]

RE the point on password managers, it depends what you use. I use enpass which doesn't store my details on their own servers like many others do. The passwords are encrypted and you can save them where you like, somewhere like iCloud or DropBox is useful so it can be synced with Phones and other devices