Forums Outage This Morning

[NightbreeD]

I received an identity monitoring alert this morning from my credit monitoring software that my information was on the dark web. It included my realGM login name, password, and email address. Has anyone else gotten this kind of alert?

I get an alert sometimes from a credit company telling me my realgm password is compromised but it has never been hacked. I have also changed it.

Thanks. I changed mine as well to be on the safe side. Thank you.

[gnif]

To put your minds at rest let me explain a little about why your passwords are safe and how they could not have been stolen as a result of this compromised account.

These forums do not store your password in any form that can be reversed back to its original form, the forums here use a "salted hash" to store your information.

A "hash" is a cryptographic function that takes your password and converts it to a number in a way that is impossible to reverse. This operation is lossy (as in, information is lost during the transformation) making it impossible to mathematically reverse the function and get the original input back. The output of this function is always the same for the same input provided.

A "salt" is some random data your password is "salted" with to thwart what is known as a "rainbow table" attack. This is when someone builds a huge table of hash to username entries that are pre-generated in order to reverse hashes back to their original input. The solution to this weakness is to salt each password with its own individual random value, making this pre-computed lookup table attack useless.

In short, even if the entire database is stolen, your passwords are still secure.
Also, the attacker never had the level of access needed to even access this data.

The other avenue of attack could be an alteration of the login form where the attacker could intercept the password as you are logging in before the password is hashed. We know for certain that this attack was not performed as we use source control software to manage the code running the forums which would have shown up any such alterations.

For the technical inclined this forum is making use of `bcrypt`, more information here:
https://en.wikipedia.org/wiki/Bcrypt

[BKlutch]

To put your minds at rest let me explain a little about why your passwords are safe and how they could not have been stolen as a result of this compromised account.

These forums do not store your password in any form that can be reversed back to its original form, the forums here use a "salted hash" to store your information.

A "hash" is a cryptographic function that takes your password and converts it to a number in a way that is impossible to reverse. This operation is lossy (as in, information is lost during the transformation) making it impossible to mathematically reverse the function and get the original input back. The output of this function is always the same for the same input provided.

A "salt" is some random data your password is "salted" with to thwart what is known as a "rainbow table" attack. This is when someone builds a huge table of hash to username entries that are pre-generated in order to reverse hashes back to their original input. The solution to this weakness is to salt each password with its own individual random value, making this pre-computed lookup table attack useless.

In short, even if the entire database is stolen, your passwords are still secure.
Also, the attacker never had the level of access needed to even access this data.

The other avenue of attack could be an alteration of the login form where the attacker could intercept the password as you are logging in before the password is hashed. We know for certain that this attack was not performed as we use source control software to manage the code running the forums which would have shown up any such alterations.

For the technical inclined this forum is making use of `bcrypt`, more information here:
https://en.wikipedia.org/wiki/Bcrypt

I have credit and fraud monitoring provided gratis by a state I never lived in. They legitimately share a database maintained in my state, but were then hacked.

Importantly, this service has not seen my RealGm credentials on the dark web — tending to confirm the above.

Note: If ever I'm accused of having posted something inappropriate, obnoxious, or incredibly stupid, I will claim it is because my credentials were hacked.