Even a 2048 bit key is crackable in a modest amount of time with some of the code-breaker modules.
The search for a non-spoofable authentication protocol is sort of computing’s Holy Grail.
The fingerprint scanner on this laptop was so unreliable I disabled it.
If you’ve ever seen the movie GATTACA, even DNA tests were being spoofed. (And the movement to ban or limit collection and storage of biometric parameters seems to be gaining steam.)
I love that movie
I have not dug through the code, what encryption method is used on passwords in DIscourse?
I reckon quite few forum admins have access to Chat GPT level hardware.
The hashing method used is pbkdf2.
We bumped up the number of rounds recently due to advancements in processors and existing passwords are automatically upgraded to the higher number of rounds in login.
Fair, but that doesn’t really change much.
The takeaway is “longer is better”.
Sure.
But if the question is if a rogue admin is a real threat because of hashes the answer is no.
I don’t agree 100% with that.
A rogue admin is able to bypass at least one important defense mechanism (rate limiting on password tries, because they can do offline attempts if they possess the hash). Dismissing that as unimportant or as not a threat could be considered negligence.
I’m not sure what “Chatgpt hardware” is (other than an attempt to use buzzwords for something completely unrelated) but this table does not include dictionary attacks, which is a real oversight and makes things look harder than they actually are.
SolarWinds123
@codergautam i hope you have taken some steps to prevent this sort of thing from happening to your forum again. good luck!
So…
this is what I’ve done so far.
made a pinned topic and another banner explaining about the incident, telling everyone to reset their password and enable 2fa
enabled 2fa requirement for mods
advised mods on this attack, and preventing types of attacks like this again
most active users have reset their password, but thats only about like 10% of the forum. I really don’t want to reset everyone’s password, as that will just cause confusion for them if they ever choose to re-log in.
yes but what about preventing a similar social engineering penetration and securing admin?
that’s 100% fault on my end. I have decided just to no longer give admin to anyone, especially not people I haven’t met and trust in real life.
For some more detail: The person that did the data breach got a permanent suspension from the forum because they were never trusted again.
Perhaps Blacklisting their IP could prevent further damage.
Having CSGO in your username could be grounds alone for suspension…
That’s mandatory for every single secure space on internet (because of that some of us likes real private messages -encrypted-).
Social engineering attacks are based on the all-too-human trait of trusting people. And there are some really smooth talkers out there!
They did make alt accounts and once we saw it we perm suspended those accounts as well
why not block his IP too? i’d at least delete an alt account and block the IP.
Because changing IP, if it has been static in the first place, happends faster than banning?
it actually works better than you think. i’ve stopped a number of problem users with it. i find suspension easier to circumvent. also why would you not use all available methods to stop further action from this person?
