91 comments

[ 3.1 ms ] story [ 151 ms ] thread
Hashed and Salted sha1 should take basically no time to crack at all.
It's my lay understanding this is true; there's a reason we all switched to bcrypt, right? But this comment is getting downvoted. What's the deal?
It is lacking in nuance, information, and clarity. (Surely a significantly strong password wouldn't be immediately cracked when hashed & salted, right? I don’t know for sure, and that comment isn't helping.)
If you read the article, it says the passwords are hashed and salted. So I think the comment is appropriate... I don't think this is the same thing as passwords being sold at all.
This was sarcasm right? In all seriousness though, I think titles like "passwords stolen" are a little misleading. Article titles should either be "hashed passwords stolen" or "plaintext passwords stolen" IMO.
No, he's absolutely right. Single-iteration SHA-1 is extremely inappropriate for password hashing, and all salting does is prevent rainbow table attacks and instant reversal of duplicate hashes. It does not slow down non-precomputed attacks one bit.

It's much better than plaintext, but essentially only a little bit better than unsalted MD5.

I'm really surprised Tumblr would use such an awful password storage scheme as late as 2013. I thought they invested a lot into security?

From the perspective of trying to crack a single user's account the salt does not slow down non-precomputed attacks at all. From the perspective of trying to crack the entire database, or a significant portion of it, it multiples the work required by N (where N is the desired number of cracks to perform).
I mean, it depends how you look at it.

I consider precomputed attacks a special case of these attacks, sort of. In the security world, most password-predicting attacks are linear with respect to the amount of accounts you're trying to get passwords for.

It's true that it will take a lot of hardware to efficiently attack all 65 million passwords. But in my field, big dumps like these are a godsend when doing a pentest.

Looking to compromise a sysadmin's account? Search his/her emails and aliases in as many DB dumps as you can find, then expend a lot of resources cracking that one hash. If it's just a SHA-1 hash and the password isn't very strong, you won't have much trouble.

Also a risk for people with vendettas against specific tumblr users (which, to my understanding, is a big issue on tumblr).

Brute force as an attack vector is dealt with by requiring "strong" passwords, not by using scrypt, so the thought of using a hash that protects all passwords equally with respect to the time it takes to try one, as an extra layer of defense for those weakest of the "strong" passwords, doesn't usually come up unless you're actually looking into how to design a login system instead of just copying from somewhere/some book as fast as you can and moving on. This issue with Tumblr that late doesn't surprise me at all.

At least one major benefit of SHA over MD5 is that you won't trivially find collisions and thus compromise the accounts of even those users with strong passwords...

(comment deleted)
In this case, it should be "Salted Password Hashes Stolen"
salted with what? unique salts per password? hashed with what? in many cases you're 5 minutes away from plaintext passwords, so the distinction is meaningless.
It still depends on the password.

I've changed my Tumblr password after this just in case, but it was some approximately hundred character random password generated by Lastpass before that.

So let's say half the ASCII range, which gives us this number of possible passwords:

    (2^7/2)^100
    41495155688809929585124078636911611510124462322424368999956573296906\
    52811412908146399707048947103794288197886611300789182395151075411775\
    307886874834113963687061181803401509523685376.00000000000000000000
I'm pretty sure even if it's just stored as single-iteration sha1() cracking it would take until the heat death of the universe.
That's a fair point, but I do not believe password managers are currently the norm for a userbase like tumblrs.

Still, the hash time for a SHA1 is fairly insignificant at this point.

the heat death of the universe, or until an attacker realized Lastpass has been breached multiple times, and they already have every password you've ever used with it.

you're an:

   i\
   d\
   i\
   o\
   t.00000000000000000000
As shared in the link, if you want to check if your Tumblr account was compromised check out:

https://haveibeenpwned.com/

It's amazing. Just about every single one of my email addresses have been compromised in one way or another, how could it be there are so many websites with such bad security.
or, you're just attracted to bad websites. the problem is likely with you.
That site is amazing, I can look up anyone's email address and see what hacked communities they are a part of
(comment deleted)
Well, the data is already on the internet...
it is more convenient, just upvote and move on
Unless they use different emails for different websites. This sounds extreme, but you just pointed out one reason that might be a good idea.
And other reasons include:

Knowing who leaked your email or sold it to spammers

Being able to stop spam by deleting the email

You could even consider binding the email to a domain so the address would only accept emails from the domain you gave this email address.

You don't really want different mailboxes, you want one mailbox with different aliases. An alias becomes a "communication token" which can be revoked, very much like when paypal gives a payment authorisation token to an ecommerce website. If that token gets leaked, no big deal, no one else can use it. A single email address is more like a credit card number.

Try <username>+<per_site_suffix>@gmail.com and then set up a filter for every suffix.

The per_site_suffix can be anything you want.

Except that everyone does that, I am sure spammers very well know that suffix trick.
Because security is actually really hard, contrary to popular opinion.

As an industry, I think we need to rethink the way we develop, package, and deploy web apps. The fact that we rely on individual developers and sysadmins to get security right, perfectly, every time is crazy. In an ideal world the prod environment should protect me from shooting myself in the foot, and the OS should be running a hardened-by-default, single-purpose system image that doesn't require bespoke knowledge to make secure.

While far from perfect, I think the PaaS vendors (AppEngine and Heroku) got a lot of things right in this regard. [Disclaimer: I work for Google, but not on Google Cloud.]

No. Most vulnerabilities are sql injections and phishing attacks. There are so many leaks because incompetence is the norm among developers.
> Because security is actually really hard, contrary to popular opinion.

But some of the password hashing algos used, no salting, making all password characters lower-case in the background, etc. are not hard things to avoid. So when a site is hacked and the user information stolen and we find that stuff out, it's safer to assume other security practices where also subpar.

Yup there are just a lot of bad developers out there, quite honestly.
Add "cheap" to their traits, and it would help figure out why anybody would ask them to code anything
For big sites, I have a hard time blaming it on a bad developer. Early in my career, I worked for a company that stored it's passwords in plain-text. I suggested on many occasions stop doing this and was always told no because the site had an older audience and they wanted to make it easy to send password reminders, which also meant they were emailing passwords in plain-text. This came from the tech director and CEO and none of the other devs seemed to care.

A few years after I left, their DB was compromised, so someone got a list of email addresses with clear text passwords.

Just got an email today from the same site that I am in the leaked myspace dataset. Is this a new dataset or else why are they notifying me only today?

http://www.businesswire.com/news/home/20160531005770/en/Time...

The dataset was just leaked yesterday or something. The data in the leak is from around 2008 I believe though.
The dataset was hacked years ago but only recently the data from that hack was openly available for sale which poses a significantly higher risk.
According to this site, the Myspace data set contains a profile with an email I wasn't issued until 2012. So my university reissues emails. So I could probably throw it into a bunch of "recover password" forms. That kinda sucks.

So when my email gets reissued i'll have to track down every single website it's linked to and purge any personal information etc. Fantastic.

You should push for them to change that practice. If your e-mail address isn't permanent, you probably shouldn't register it with other sites, or else track every site that uses it for authentication (account recovery) so you can update to your new e-mail address when you move on.

Out of curiosity, what do the usernames (aka local part) of the e-mail addresses look like? Are they based on names/initials? Are they arbitrary?

The format is `${firstLetterFirstName}${lastName}${int}`.

My high school followed a similar structure, but had the graduating year as a suffix, implying that they would never be reused.

I wouldn't be surprised if this was rampant in educational institutions who have to provision emails to people with identical names all the time.

why not use a sub domain? user@class16.school.com for example.
or a Gmail wildcard alias username+alias@gmail.com
most universities where I live use either stu120691 [at] mail.uni-kiel.de, or stu120691 [at] informatik.uni-kiel.de, or allow you to choose a custom prefix for prefix [at] stu.uni-kiel.de and prefix [at] informatik.uni-kiel.de

(those addresses are mine, first the generic ID, then the generic ID [at] faculty, then prefix [at] generic (I don’t have one), then prefix [at] faculty; first comes first serve on prefixes)

I've never signed up for myspace, and yet it tells me one of my emails is compromised there.

I'm not sure what to make of that information, since I know it's not a recycled email address.

This has reminded me to sign up all my emails for alerts, and makes me glad I started using Lastpass back in 2012 and almost all my logins these days are separate and very long passwords.
Which is great until your Lastpass account gets hacked.
There is no such thing as unbreakable security. You always have to compromise security for usability somewhere. I trust LastPass' procedures more than I do most websites'.
you don't trust yourself or your ability to maintain a single list of key->values better than a 3rd party?

lastpass has been hacked multiple times revealing ALL your passwords. the compromise is obviously to not use it and when ONE of the services you used is hacked you lose ONE account rather than them all.

While I agree with you, Lastpass has been hacked in the past, and if you store all your passwords in one place it's really open-kimono time when there's a breach.

I've taken to doing the thing they tell you never to do: I write my passwords down on a piece of paper. Criminals can get access to my passwords, but they're going to have to travel to my house to do it.

That site is amazing and it is shocking how many of my emails have been compromised by random games I've played.

For example, D&D Online and Heroes of Newerth both were compromised.

Here's my question...what recourse is there beyond resetting passwords? If a company did something as dumb as store my PW in plaintext, do I have any realistic legal recourse for what seems pretty negligent? I'd assume I'd have to prove damages of some sort, and I am not a fan of an overly litigious society, but it seems there is no real recourse for impacted users.

TOS's generally protect the company's I'd imagine. (IANAL)
- From the 2013 data breach

- HaveIBeenPwnd contains the data on sale here

If you don't know what HaveIBeenPwnd is, you type in your email to check if it is involved in any data breaches online. They don't give you the actual data back.
Now is a great time to add two-factor authentication to your account after you change your password.
Problem with 2FA is: what happens when you're traveling internationally and don't have access to your phone number, and need to look up your bank balance or something where you've employed 2FA?
One solution is to use Google Authenticator (or a similar compatible app) that generates the codes on-device so no data/SMS connection is needed.
You still need your phone for that. If you're out of battery charge, you're temporarily locked out. If you loose your phone, you're locked out until you recover the number. If you can't recover the number for some reason, then what?

People downplay the probability and importance of these issues, but the situations where you loose your phone are often the situations where you need access to your online accounts. One such situation can do far more damage than all the hacks combined. (For example, someone steals your backpack with your phone and wallet. Horror scenario: someone steals your backpack with your phone and wallet in a foreign country.)

In short, loss of access must be considered as a tradeoff.

Loosing anonymity due to phone-based 2FA is another issue that never seems to be considered in these discussions.

Finally, phone-based 2FA discourages you from splitting your accounts. (It's a bit of a hassle even with one email. Imagine managing 5 or 6.)

That's when you use the one-time passwords you generated and printed out in case of just such an emergency. Most (important) services I've enabled 2FA on make this an explicit step.
2FA isn't limited to a single device. With 1Password, a TOTP code is available on my laptop, on my phone, on my watch, via an encrypted backup, etc. If you have access to a computer, you can access your second factor. That's not even counting paper backups as others have mentioned.

Not sure how anonymity factors in here. How can typing a number into your phone to set up TOTP then typing the resulting numbers back into your already-authenticated account deanonymize you?

Finally, yes, adding more security is a hassle. But if you're willing to add 5 seconds to your login on one account, I don't see why you'd be super against doing that for multiple accounts.

(comment deleted)
Upgraded my phone (there was no way to export Google Authenticator profiles), lost 1 hour of my life getting them onto the new device.
Oh, total agreement there. I've gone to apps that allow backups/exports (1Password currently) specifically because of this.
I don't rely on text messages. I use Authy, and I've used Google Authenticator in the past.
Use an app that works offline. Most do.
Just looking at the haveibeenpwned.com it links to the cryptically poor Adobe password were. I am fascinated by how popular certain passwords are: http://stricture-group.com/files/adobe-top100.txt

It appears some random words aren't necessarily random. Words like 'shadow' and '1q2w3e4r'.

Fascinating!

You can probably get even more correlation if you account for "l33tspeak" i.e. swapping letters for numbers that look like them.

    password => p455w0rd
    password => passw0rd
Don't forget adding ! or 101 and so on to the end of a password and capitalizing the first letter. "Password1!" is likely to pass complexity and length requirements quite well.
The top ten passwords in the in the adobe hack account for 2.8% of all passwords. About 1/35 used one of ten passwords. That's frightening to think about. Thanks for the share.
It's a shame Tumblr and Yahoo... we are informed 3 (!!!) years after this breach. Unbelievable.
Thank goodness 2013 was before I had to change my Tumblr password (and activate 2fa) because of Heartbleed.
Also a shame that the people that pulled this off are allowed to live.
Translation:

> Oh no! Someone has my email address and unique hashed password, they should be shot!

Thanks for translating. I wasn't sure what method of execution was implied.
Please don't do this here. We're looking for thoughtful discussion, not extreme one-liners or snark.

We detached this subthread from https://news.ycombinator.com/item?id=11809297 and marked it off-topic.

For the record: not a Tumblr user.

My opinion is that people who commit those acts need to be killed as an example to others.

Some will argue that they perform a public service of some sort, but the fact is, they're bullies, plain and simple. They are past any public service point and now are off into lulzland, where they're selling this information because they will profit from it. I cannot envision that there is any sense of remorse in these people, either.

I am fairly certain they will get away with this - odds are against them ever being caught in a country with a decent enough justice system to apply a lasting verdict. Even finding enough proof to convict is a very long shot.

The part of me that despises bullies, though, wants to line them up in front of their colleagues and say "Do what you want, but remember, there are consequences. This is consequences." and turn them into a thin, red smear.

I try to avoid posting while angry these days, because it's really pretty useless. Sometimes, though, can't help it.

You lack context. Most hackers doing this live in Russia/China/Ukraine they are mostly untouchable but in the same time they have limited possibilities to escape from hell they live.

It is easy to be on high moral ground when you can just get a normal job in economy with <6% unemployment and rich family to back you up, funding your overpriced college.

NSA spy people and have probably more private information than your Ashley Madison "secret" email. There more dark web than you can imagine and hacking Tumblr is just silly.

> Most hackers doing this live in Russia/China/Ukraine they are mostly untouchable but in the same time they have limited possibilities to escape from hell they live.

And that justifies their acts?

You're right. It's easy to be all moral and ethical when you don't face those kinds of challenges. I'll even grant you that I have failed a few moral and ethical challenges while living in my safe little world.

I own that.

And I have zero sympathy for those bastards. They made a choice to steal and then a further choice to release that information for others to do more harm and to try and make money while doing it.

You know the saddest part?

I look at all the threads related to this story and I'm the only one who's even outraged by this. Most people are pretty blasé about it (kind of understandable) and many of you are defending their actions.

Are we that disconnected that we no longer recognize right and wrong? Have we reached a point where we can say "Fuck the 1st worlder. He can buy more privilege."?

Because life is not black and white. Everything is is just shade of grey.

Russian Hacker have a choice: - hack for Russian Government, potentially leading to people being killed. - hack for blackmail where hacked western company will need to pay fee data/ddos. - work as bounty hunter making pennies for sometimes weeks of work.

Someone from US with the same skill is working as: - penetration tester, - security consultant, - do bounty hunting as hobby

Majority of hacks you will never hear, It is only happening when: a) Company decide not to pay blackmailers and screw the users,(Tumblr?) b) Competing company pay for hack to destroy competitor(Ashley Madison?), c) Is done by foreign country as mean of attack (Estonia/Github)

Single people being blackmailed is usually done by friends family. Let say that you "best" friend knew about "your" Ashley Madison account, he would use this as opportunity to blackmail.

Were Russian vegetate in the middle of Siberia, US gentleman is having fancy dinners in SF. If you want to have moral outrage do it for US companies Yahoo, Google for sharing data with Chinese Gov.

>Most hackers doing this live in Russia/China/Ukraine they are mostly untouchable but in the same time they have limited possibilities to escape from hell they live.

In my experience this simply isn't true. The part about nationalities, yes somewhat. But these guys certainly mostly aren't living in particularly bad situations, they're just guys that figured out that the risk/reward ratio is heavily in their favor.

>It is easy to be on high moral ground when you can just get a normal job in economy with <6% unemployment and rich family to back you up, funding your overpriced college.

You can hardly compare a "normal job", even if it pays 200k a year to a part time job where you can make anything between 500k to millions of dollars a year.

Wow, such characteristically overindulgent threats to life.

Are you by chance a tumblr user?

Right, 'cause Tumblr is the first site that comes to mind when I think of hyperbolic threats.
Actually it is.

"Anyone who disagrees with my assertion should fuck themselves with a rusty bat"

The only site that does it more excessivly is 4chan but there is no vitriol in their statements they're just trying to shock. Tumblrites are saying it loud and unabashed in an effort to create comedy, but there is truth in their "jokes" and it seeps through.

Being "allowed to live" after exposing bad security is something you only hear in really exceptionally bad countries, or tumblr.

(comment deleted)
I wish i could find my hash because I used tumblr back then but have deleted my account since then. I just want to know if it is a password i'm still using or not.
Been in this situation a few times now. It's dawning on me that this is why they say not to use the same password in more places..
well I have a lot of accounts I don't care much about, but it's still nice to know. the ones I do care about: Amazon, banking, Facebook etc do you have unique passwords.
Wow, whoever is responsible for this is a real shitlord!
just curious. from 1 to Snowden how illegal is it to buy or access this dataset?
These Tumblr Passwords are probably useless. Last time I logged into both my Tumblr accounts there was a required Password reset.