Possible Security Breach of email addresses and passwords

[nd5y]

There aren't any restrictions that I am aware of.

Good. That's better than some other web sites that I use.

 

[K7MFC]

all passwords are hashed and salted.

Wouldn't a rainbow table attack be very difficult if the passwords were salted and hashed?

 

[blantonl]

Wouldn't a rainbow table attack be very difficult if the passwords were salted and hashed?

Unfortunately no for older hashing mechanisms.

 

[K7MFC]

If the attacker only had the hashed password, salting the password should exponentially increase the difficulty which would be required to decrypt a it. Would you be willing to share your root cause analysis findings of this incident when complete?

Edit: thanks for the additional information; the initial reply was just "No."

 

[GTR8000]

What is the maximum password length allowed and what characters allowed/not allowed for the new system?

A couple of years ago I ran into an issue using a password greater than 20 characters in length. I don't recall the exact details nor do I know if that length restriction still applies.

 

[PrivatelyJeff]

That’s why I encourage everyone to use a non-cloud based password manager and use the most complex password you can for each site. I couldn’t tell you my bank username/passwords because they are so complex.

 

[nd5y]

Well after changing my password I can't log in to the wiki.
I get a blank page with this url in the address bar:

https://wiki.radioreference.com/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main_Page

 

[eorange]

If the attacker only had the hashed password, salting the password should exponentially increase the difficulty which would be required to decrypt a it. Would you be willing to share your root cause analysis findings of this incident when complete?

Edit: thanks for the additional information; the initial reply was just "No."

MD5 has been known to be vulnerable for some time now, even when using a salt. The SHA-2* variants are more resistant to collisions (cracking).

 

[GTR8000]

Well after changing my password I can't log in to the wiki.
I get a blank page with this url in the address bar:

https://wiki.radioreference.com/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main_Page

Confirmed.

 

[AK9R]

FWIW, I'm able to log into the Wiki.

Those of you who are having problems logging into the Wiki, did you change your password in your forums profile or did you change your password through your account information page on the main site?

 

[nd5y]

I tried to change it from the Your Account Information and it failed, then I used the reset password link on the main site. I didn't use the forum or wiki.

 

[AK9R]

Remember that you need to log into the Wiki as "Nd5y". The first letter must be capitalized.

 

[nd5y]

Remember that you need to log into the Wiki as "Nd5y". The first letter must be capitalized.

I know. I tried both ways.

 

[nd5y]

I tried to change it from the Your Account Information and it failed,

So when I did that I couldn't log in to the main web site, not just the wiki. After I used for forgot password reset link and made a new password is when the wiki broke.

 

[blantonl]

I've fixed the Wiki....

 

[K7MFC]

MD5 has been known to be vulnerable for some time now

Oof...MD5 exploits have been well known for at least 15 years. Very surprising that RadioReference is still using it.

 

[blantonl]

I'm closing and moving to this official announcement:

Security Incident - Please Change Your Password

Everyone, We've recently received reports of scammers emailing our members with bitcoin extortion attempts. We've identified that hackers were able to download email addresses and encrypted passwords from our database for a number of our users and use that information in these emails. We...

forums.radioreference.com