About the recent server compromise

[favdesu]

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

[Scamalert]

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

Yes, you are proberly right....... I need a brand new one, adding 8 letters is not good enough.
I look at that KeePass 2, it looks pretty good, just not sure I can trust it.....
But thank you anyways

[readysalted89]

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

Are the passwords it generates by using mouse movements for additional entropy completely random? Does it only generate pseudo random passwords without using mouse movements or anything else to collect additional entropy?

[Gisado]

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

[theymos_away]

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

Yes, make the secret question field empty.

[Welsh]

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

You can always test it yourself by going to the "forgotten password" and selecting "Ask me my security question". It will tell you if it's not enabled on your account. That's if you want to double check.

[shavers]

Good job on getting this up again lads! Hope next time you'll be ready and fully armed! This downtime looked like an eternity, lot of us missed you.

[Superhitech]

Thanks for the explanation theymos.  

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:

Does this mean that only people with the member rank were effected, or all forum members? Changing my password anyways, just curious.

Also, I found this interesting article: https://www.cryptocoinsnews.com/bitcoin-mining-figure-joshua-zipkin-responsible-bitcointalk-hack/

Opinions?

[notlist3d]

Thanks for the explanation theymos.  

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:

Does this mean that only people with the member rank were effected, or all forum members? Changing my password anyways, just curious.

Also, I found this interesting article: https://www.cryptocoinsnews.com/bitcoin-mining-figure-joshua-zipkin-responsible-bitcointalk-hack/

Opinions?

I think the comments are pretty dated.  I do know AMT has no love here so I could see them having a reason.  But I don't know how much of a threat the owner is. 

I do wonder do we know besides password was other information also salted?  Or are we talking plain text?

[freedomno1]

Off to change the password
It's good to know that a Bitcoin miner can't be used to break encryption
Thanks for the hard work theymos

[hedgy73]

Thanks for your hard work getting the forum back up and running Theymos, it must have been a real headache.

Lets hope the reward your offering helps catch the lowlife scumbags.

[Lauda]

Yes, you are proberly right....... I need a brand new one, adding 8 letters is not good enough.
I look at that KeePass 2, it looks pretty good, just not sure I can trust it.....
But thank you anyways

There's no reason no to trust it. Since it is open source, and if coders have accepted it it should be fine. Also there is always the old school method of writing it down on a piece of paper.

Off to change the password
It's good to know that a Bitcoin miner can't be used to break encryption
Thanks for the hard work theymos

Although the majority of the passwords will still get broken.

[itod]

Although the majority of the passwords will still get broken.

I'm not so sure about this. It's hard to estimate how long passwords people used, but average 11-length alphanumeric password needs 3 months (estimated) to be cracked, and 12-length 3 years. Longer passwords probably won't get cracked. If majority of people here used shorter passwords then, yes, majority will get broken, but I think that is not the case, majority of people here new better then to use short passwords.

[thebitcoinquiz.com]

Why is this news, "News: Change your password!" only showed on the index page?
I believe that right now this news is the like the most important thing for the forum and should be displayed on all the threads.

[BTCtalkScammerDetective]

Why is this news, "News: Change your password!" only showed on the index page?
I believe that right now this news is the like the most important thing for the forum and should be displayed on all the threads.

At least have it in bold so it's easier to see.

[KarmaShark]

Happy to see that all is good now! I think it was 3rd hack attempt in last 2 months.

[chrisvl]

404 security not found /\ Theymos protect the bitcointalk community there are to much ways

[rishabh6115]

Do we have to change our passwords or it is fine to keep before one. Please answer fast.

[MakingMoneyHoney]

Do we have to change our passwords or it is fine to keep before one. Please answer fast.

You should change it.

[DiamondCardz]

Ooh. That's a lot of kiloyears to break my password.

Thanks for the warning, I updated my password after the hack just to be safe and also to make it a little bit more secure compared to the password that I previously had on my account.

rishabh6115: Depends. If it's extremely secure you might not need to take action, if it's less secure you should, but in all fairness you probably should either way.