Everyone Change Your Forum Password Now - Not a joke

[Ghostie]

Alex sez:

...Zebranky got a hold of a PW...
...With this he has the ability to reverse the encryption on forums PWs and log in as someone else.

Could we have an informative (think low level internet law savvy here) post with pertinent info, as to the legal ramifications this char 'Zebranky' has opened himself too, by his actions? Do we have anyone speaking with this person in RL? Do we know who he/she is in RL? I have changed all my PWs (copap wide), but still do not understand the tech as to what he learned and any effects it could have on my internet exp or my privacy.

Sorry for what may be lame questions, I suspect Im not alone in the community as to being a little (in truth, 'little' doesnt do me justice, 'seriously' would be closer to the mark) deficient in Techspeak literacy.

Unless you start posting your bank details online, I wouldn't worry about it. The information that Zebranky got access to is also accessible by Avlis admins, i.e ninja, xarthna and Sunscream. The passwords on the forums are encrypted and not easily (note: not impossible, but very very very very very very very very difficult to decode.)

Changing your forum passwords was a precaution, not a necessity. There is no risk to your personal information.

[Snow]

I think that by having the db he can log in with any account but he can't see the actual password since it's encrypted. I'm not expert though so I could be wrong.

[Faeldridge]

I get it... I just don't understand why...

[Trole]

I get it... I just don't understand why...

He was givin' a choice,
1) resist temptation, continue on path,
2) give in, take up new path of being viewed as a dumbass thief by a whole bunch of people

I view it like the sceen from IJLC, the knight says, "He did not choose wisely", after the dude ages turning into dust dead and gone..

[DeadEyeDave]

so this dude is a DM or something on hades? can avlis chars still go to hades? would going there do anything bad to my chars?

[Pekarion]

I get it... I just don't understand why...

I deem it as a case of "curiousity killed the cat"

[Brayon]

so this dude is a DM or something on hades? can avlis chars still go to hades? would going there do anything bad to my chars?

As far as I know Hades has been disconnected from CoPaP. I know that Hala cut their link when news of this got out.

Hades was also going to close shop, in a few weeks as well.

EDIT: He was a World Leader, like Orleron, Themi, Arkon, TaryRayC....

[Jo' d]

Thanks for the Techspeak lessons. I got the impression of this guys personal char from the posts, and was curious as to what kind of WHup-ass he's got coming his way. I suspect he can access the profiles, and therefore,knows my name and age as well as resident state? If that is in fact the case, and he has that info, I request to know the same of him. For I would know the villains of the RL world firsthand, and spread their infamy for all the world to know.

J

[sinn]

something else to think about people..

some peeps use the same password for many things.. like their email.. I imagine he may have gotten a list of emails in this ruse he pulled.. if your email PW is the same as your forum PW.. you might want to change that as well...

[terror2001]

As far as I know Hades has been disconnected from CoPaP. I know that Hala cut their link when news of this got out.

Hala did cut their link, but that is not the only link to Hades. The other one is still active.

[PlasmaJohn]

something else to think about people..

some peeps use the same password for many things..

Ok, enough of the fear-mongering

Up front, it is a security best practice to change your passwords regularly. If you have not done so in awhile, then this is as good a time as any. While there is a risk, it is reasonably unlikely. I will discuss that at the end.

The passwords are stored as "hashes" which is a "one-way transform". That means that there is no way to derive the password algorithmically. There are techniques that allows one to guess the password but those depend on the user picking something weak like a dictionary word or name. Things like "password" or "P@5sW0rd" are equally bad. If it's not weak, it cannot be guessed.

If the server told you your password was too weak when you created it, then you are at risk. Financial institutions or any other login with elevated security requirements will refuse to let you set a weak one. Many banks will refuse to work with computers that do not have an additional cookie derived from alternate data and require you to use alternative authentications.

Now the risk. An attacker may be able to derive a "collision". What that means is that an equivalent password may be calculated but since this is computationally intensive it is unlikely.

[PsiOmega]

As an addition so does phpBB3 not only hash the password but before that add a string, by default "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" for those curious, your userID (basically the number of registered users when you created your account +1), a string from a file and a few other semi-random (must be repeatable, obviously) things. The collection of all this is then hashed and compared to the hash stored in the database.

While this doesn't make it harder to find another password which creates the same hash it does make it even more unlikely that the attacker finds your real password as well as makes any collisions (with an extremely high probability at least) unusable anywhere else but on these forums.

[Fifty]

Makes me glad I don't reuse the same pasword in very many places. I had the same one here as for a few other low-security message boards, but entirely different ones for each email account, another different one for Facebook, completely different ones for banking, Paypal etc...

Does anyone know who he is in real life?

[DeadEyeDave]

Does anyone know who he is in real life?

I heard he's a secret operative for a Christian Childrens Charity, and he's trying to gather information so they can weed out the bad money. heh

[NecroZombie]

Does anyone know who he is in real life?

Narrowing down where he lives now.

Just wanted to spread the word of jesus and pray with him a bit.

[ninja]

and that's the thread...