MODERATOR ATTENTION: How to get help when you need it
For those who have urged changing one's password. So I don't know how the compromise occurred, but there should NOT be any way for an admin to obtain users' passwords. The way password authentication is supposed to work, is that what's called a "hash" of the password is stored such that if the correct password is entered, then it's verified using the hash. Sites have existed for which actual passwords were stored, or encrypted versions were stored (but most encryption accessible to civilians can be broken). A password hash is NOT an encrypted password. Fortunately my WP password is one I've used in the past but I haven't used it anywhere else in many years, so I don't feel exposed. But if WP is using the sort of easily compromised password authentication system I described, then they need to change it somehow (assuming they can even find the code that runs the site).
The_Face_of_Boo
Veteran
Joined: 16 Jun 2010
Age: 41
Gender: Non-binary
Posts: 32,916
Location: Beirut, Lebanon.
I recall I orchestrated a coup d’état against my faction’s leader and his loyal members; with other few evildoers …I remember well in a surprise betrayal attack we took over on all bases of our main sector and all the laser turrets and nukes stacked in these bases, then used these turrets against them… the poor leader and his cronies abandoned the faction to form their own and became our sworn enemy, ahh these were the days.
Damn, that was really… evil.
Trust no one!
@MaxE - AFAIK the passwords here are only stored in a hashed or maybe encrypted form, so they can't be read by anyone. There is no plaintext record.
I could, and occasionally did in the cases of members locked out because they'd forgotten their password, change it - but I had no idea what their forgotten password actually was.
WRT our recent interloper - they had at least Admin access so were capable of changing anyone's profile and I think that did happen in a few cases. Notification of that change would not have been sent (that's standard behavior for an Admin-sourced change).
To be ultra safe - if you've used the password you use on WP anywhere else, change it there.
_________________
Giraffe: a ruminant with a view.
Last edited by Cornflake on 18 Jun 2023, 12:11 pm, edited 1 time in total.
The_Face_of_Boo
Veteran
Joined: 16 Jun 2010
Age: 41
Gender: Non-binary
Posts: 32,916
Location: Beirut, Lebanon.
ie. bcrypt for node.js; which also provides “salting passwords” (adding random X characters before the hashing process to increase complexity).
Yes, it would be impossible to “decrypt” or guess a hashed+salted password stored in DB; however if the admin access to DB is comprised and if you know the salting length (from backend’s source code, or just by trial and error, there’s only 14 of length max for salting), you can easily replace a one’s hashed password with one you generate on your own (there are plenty of online tools to generate that ie https://bcrypt-generator.com/) without even knowing the original password. To avoid a such disaster, some security measures shall be taken to secure DB access (once a hacker has access to it = game over), alex’s only option would be to contact the hosting service and proves that his platform got compromised; or to host it on another server all new with the latest backend and more security to cut the losses.
So it is very possible that the WP hacker can’t read our passwords, but can easily replace them with his own hashes via sql mutations.
The_Face_of_Boo
Veteran
Joined: 16 Jun 2010
Age: 41
Gender: Non-binary
Posts: 32,916
Location: Beirut, Lebanon.
One explanation I can think of: the fact that alex’s password was stolen, then recovered then stolen again, it may be an indication that alex still has access to the DB and the hacker has no direct access to it; it is possible that he mutated alex’s password via “sql injection”, it is a hack technique that could work (especially on legacy sites) from the user’s input fields (such as username or pass fields) in browser, the hacker writes a sql mutation query (or simply to bypass the password check without even mutating anything) in the input field itself and submits it
He or she could had found out what we call a sql injection vulnerability to perform a such illegal query.
This dance may go on until alex finds the vulnerability and patches the source code.
ie. bcrypt for node.js; which also provides “salting passwords” (adding random X characters before the hashing process to increase complexity).
Yes, it would be impossible to “decrypt” or guess a hashed+salted password stored in DB; however if the admin access to DB is comprised and if you know the salting length (from backend’s source code, or just by trial and error, there’s only 14 of length max for salting), you can easily replace a one’s hashed password with one you generate on your own (there are plenty of online tools to generate that ie https://bcrypt-generator.com/) without even knowing the original password. To avoid a such disaster, some security measures shall be taken to secure DB access (once a hacker has access to it = game over), alex’s only option would be to contact the hosting service and proves that his platform got compromised; or to host it on another server all new with the latest backend and more security to cut the losses.
So it is very possible that the WP hacker can’t read our passwords, but can easily replace them with his own hashes via sql mutations.
Makes more sense now. I was always highly sceptical of the thought that somehow a load of unencrypted passwords were available but this makes much more sense. I have been scratching my head over how it's possible to immigrate accounts and I thought it has been done via some other SQL commands. Still could be but yours makes a bit more sense.
He or she could had found out what we call a sql injection vulnerability to perform a such illegal query.
This dance may go on until alex finds the vulnerability and patches the source code.
Indeed, sounds like a possibility, especially on "legacy sites," as you say.
To others here: For more about SQL injection vulnerabilities and how to prevent them, see W3Schools and Wikipedia.
_________________
- Autistic in NYC - Resources and new ideas for the autistic adult community in the New York City metro area.
- Autistic peer-led groups (via text-based chat, currently) led or facilitated by members of the Autistic Peer Leadership Group.
- My Twitter / "X" (new as of 2021)
I hope you are correct about this.
Alas, storage of passwords in plain text does occasionally happen on some sites/apps, including even some apps belonging to large-ish companies that ought to be able to afford to hire people who know better. I've encountered one electronic medical records system that stores passwords in plain text, even though that's a clear violation of HIPAA.
Anyhow, even with the best password hashing, there may still be other vulnerabilities (such as SQL injection).
_________________
- Autistic in NYC - Resources and new ideas for the autistic adult community in the New York City metro area.
- Autistic peer-led groups (via text-based chat, currently) led or facilitated by members of the Autistic Peer Leadership Group.
- My Twitter / "X" (new as of 2021)
I hope you are correct about this.
Alas, storage of passwords in plain text does occasionally happen on some sites/apps, including even some apps belonging to large-ish companies that ought to be able to afford to hire people who know better. I've encountered one electronic medical records system that stores passwords in plain text, even though that's a clear violation of HIPAA.
Anyhow, even with the best password hashing, there may still be other vulnerabilities (such as SQL injection).
With a nod to Boo who provided good information, but Mona's comment is most recent, we should all understand the difference between hashed and encrypted. My remarks were addressed to the issue of discovering one's password then using it to access other accounts e.g. a bank account. An encrypted password could be compromised by any South African teenager with an old iPhone. The NSA might be able to compromise a hashed password but they have bigger targets than WP to worry about.
As for SQL injection, there are tools that can be used to detect vulnerability to that by analyzing the source code. If the code is on GitHub it should be a routine matter. Boo should have a better idea how to go about it.
Passwords are not stored in plaintext but it's always best practice to use a different password on every website just to be safe.
_________________
I'm Alex Plank, the founder of Wrong Planet. Follow me (Alex Plank) on Blue Sky: https://bsky.app/profile/alexplank.bsky.social
Thanks for the info. Good luck with finding and patching the vulnerability.
Hopefully also you'll be restoring the moderator team soon?
(In my opinion, Cornflake, Walrus, and magz were an excellent team of moderators.)
_________________
- Autistic in NYC - Resources and new ideas for the autistic adult community in the New York City metro area.
- Autistic peer-led groups (via text-based chat, currently) led or facilitated by members of the Autistic Peer Leadership Group.
- My Twitter / "X" (new as of 2021)
With respect to all those posting in this thread . . .
In the past, moderators have stated that the Moderator Attention thread is not for conversations between members. So, as a member, I can only suggest that we use this thread only to ". . . get help when you need it".
If further conversations on recent events are needed, please start another thread. Thank you.
Similar Topics | |
---|---|
Attention deficit disorder ? Feedback please |
29 May 2024, 10:48 pm |
Daughter dealing with unwanted attention - advice please |
30 May 2024, 3:35 pm |
Attention Deficit Hyperactivity Disorder (ADHD) |
29 May 2024, 12:24 am |