Change your password if it's the same Boards.ie

I'm not good on this stuff, I have one email address though. I'm not on any other messaging board etc but I have bank accounts etc. The password I use for AAM is not the same as my password for anything else.

How can one get a safe email address. I'd like to change my current email address on AAM to a new email address and also change my password.

Also if I do this how do I know my current details on AAM are really deleted as nothing is ever deleted in cyberspace?
 
Just to add to the risk of the hacker brute forcing your password.
Its very unlikely that they will do a bulk brute force de-hashing, - certainly not of all passwords. It would take significant computing resources, - your probably looking at a large scale computing grid being required.
There's no need for the hacker to go to the effort, - there is low hanging fruit to be had.

The biggest danger is if you use a common word for your password.
Eg. Say your password is the word 'password' or 'mypass'. (This is much more common than you think.). This would have a consistent hash value across all passwords in the database with that word.
The hacker could generate the hash for this and other very common passwords that people use, and search the DB for the hashed version.
Bingo, they will have a list of N number of users with the common password words.
The defense to doing the above is password salting. Another word/string is interspersed with your password word, then hashed, to introduce randomness and inconsistency into the hashed value. I'm not sure if the boards DB's password were salted as well as hashed (probably, but not definitely), - its easy enough to reverse password for a significant number of its users if salting isn't used.
However, even salting gives limited protected, - as the salt is usually the persons firstname and/or surname or some other artifact of their personal profile, - so the hacker could still write a script to cycle over the DB and generate the salt, hash for the common passwords and check if yours is one of the more common password words.

So, - to summarize, - if you use a common password word (pretty much any word that can be found in a dictionary), - do change your password for sure.
 
raven said:
Just to add to the risk of the hacker brute forcing your password.
Its very unlikely that they will do a bulk brute force de-hashing, - certainly not of all passwords. It would take significant computing resources, - your probably looking at a large scale computing grid being required.
There's no need for the hacker to go to the effort, - there is low hanging fruit to be had.

The biggest danger is if you use a common word for your password.
Eg. Say your password is the word 'password' or 'mypass'. (This is much more common than you think.). This would have a consistent hash value across all passwords in the database with that word.
The hacker could generate the hash for this and other very common passwords that people use, and search the DB for the hashed version.
Bingo, they will have a list of N number of users with the common password words.
The defense to doing the above is password salting. Another word/string is interspersed with your password word, then hashed, to introduce randomness and inconsistency into the hashed value. I'm not sure if the boards DB's password were salted as well as hashed (probably, but not definitely), - its easy enough to reverse password for a significant number of its users if salting isn't used.
However, even salting gives limited protected, - as the salt is usually the persons firstname and/or surname or some other artifact of their personal profile, - so the hacker could still write a script to cycle over the DB and generate the salt, hash for the common passwords and check if yours is one of the more common password words.

So, - to summarize, - if you use a common password word (pretty much any word that can be found in a dictionary), - do change your password for sure.
Click to expand...

Boards.ie use a random salt for each user as well as the hashed password.
 
MentalNote said:
Boards.ie use a random salt for each user as well as the hashed password.
Click to expand...

The salt is useless if it is stored or computed from data in the same DB (The bulletin board code is open source, so easy to figure it out). I'd be surprised if the salt isn't derived from data in the same DB instance (again, its usually salted by first/last name/dob or some other user profile attribute).
A script to iterate over user records could easily apply the salt and hash to try to find common passwords.
Again, - if your have a half secure password (with some non-alpha characters) there's probably little worry, if not, do change your passwords.
 
Hi Raven

The salting and the hashing is for boards.ie (or vBulletin) to do.

What should a random punter do.

What are the features of a good password? If it's a random string of words and numbers and different for all websites, it would be impossibly awkward.
 
Brendan said:
Hi Raven

The salting and the hashing is for boards.ie (or vBulletin) to do.
Click to expand...
Absolutely, it provides a good level of protection.
There's not much more that can be done by the site administrator (in practical terms) to be honest.
If the database is compromised (basically downloaded by a hacker), - the first thing they will do is try to crack the most common passwords.
About 10 or 20 common password words would typically account for 5 to 10% of the user base's passwords
eg. see

http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php

So, the hacker will cycle over the DB and try to crack a list like in the above link first, then maybe start trying words in a dictionary (eg. from freely available dictionary files.)
.
ie. Applying the hash/salt to the common password word for each user and checking if they get a match to the common password word.
Brendan said:
What should a random punter do.

What are the features of a good password? If it's a random string of words and numbers and different for all websites, it would be impossibly awkward.
Click to expand...

A good password should generally have one or 2 numbers and one or two punctuation marks, and a mix of upper/lower case characters.
You can make it easier for yourself to remember by substituting zeroes for 'O's, '3's for 'E' and maybe "$" for "S" etc. etc.
eg. "somedemo" could become "$0m3d3m0".
This would make it exponentially more difficult to crack as computing power to brute force gets prohibitive.

You can probably get away without having different passwords for all different sites if its just impractical for you to remember such a large number of passwords.
However, it is definitely best at a minimum, to use one password for "non-money"/lower value type of sites (bulletin boards etc.), and another for more high risk, financial sites (banking sites etc.).
 
If using Firefox ... get the 'LastPass' addon ... it will remember/generate passwords for you and allow you to login to a forum/site automatically.

To keep your LastPass passwords safe you have a master password.

More info here (no affiliation):

https://lastpass.com/index.php
 
You could use a line from a song:

"Here's to you, Mrs Robinson, This post will be deleted if not edited immediately loves you more than you will know"

and just use all the first letters of the words:

HtyMRJlymtywk

and there you have it - easy to recall (hum the words as you type it in) but quite difficult to crack, I should think?
 
AlastairSC said:
You could use a line from a song:

"Here's to you, Mrs Robinson, This post will be deleted if not edited immediately loves you more than you will know"

and just use all the first letters of the words:

HtyMRJlymtywk

and there you have it - easy to recall (hum the words as you type it in) but quite difficult to crack, I should think?
Click to expand...


Now we'll all be using HtyMRJlymtywk :p
 
You must log in or register to reply here.
Back
Top