Hello!
To use the forum, login or register above.
(If you are already logged in above, please click here)
Password security
It seems that The Other Site has had a hack threat and is currently offline.
I assume that all the sellers with accounts on both aren't using the same password, but might be worth a precautionary change just in case the worst happens.
I assume that all the sellers with accounts on both aren't using the same password, but might be worth a precautionary change just in case the worst happens.
Powered by Vanilla
Comments
Luckily i am no longer on that site, but maybe i should update the password here, just in case
I see a message on FB that the hackers want money or they will be purging stores.
Strange thing is that they only give 1 hour to only which seems a bit quick, not sure if ot's real or not.
For all syncers, make a backup copy of the last backup. At least BrickSync makes a backup with every order that is placed
On my own drive at least :-)
I can sell Lego other places, so it would not end me if something were to happen with brickowl.
But what and how brickowl is "secured" from something like this, would be nice to know 🙂
Stores can manage their backups here https://www.brickowl.com/mystore/inventory/backups
Maybe change your password at lego.com as well.
link it please?
Not to say that I disagree with leveraging a password manager - anything that keeps someone from writing passwords down or reusing the (more or less) same password on multiple sites is always a win.
This assumes that you're submitting passwords against a login page. That isn't how password cracking works (well, not for any real threat as a hacker). The general process is:
1. Hacker(s) obtain a copy of the database.
2. A lot of organizations fail to encrypt their databases at rest, so anyone can read the values stored in the database.
3. If there's a Users (or similar) table, there's one half of what's needed to access a user's account - their username. The next part is where the work begins - trying to determine what hashing algorithm was used to create the password hashes.
4. Using rainbow tables of common passwords (which usually includes previously-compromised passwords from other sites), a script will churn through the plaintext passwords in the rainbow table, hashing them and looking for the same hash in the stolen database. GPUs can repeat this process millions of times in a fairly short amount of time, so if the site used a fairly simple hashing algorithm (especially if it wasn't a hashing algorithm INTENDED for password protection), it's going to find matches within days, if not hours.
So, as an example, if I use, say, SHA1 on your "disneyPrincessArielisCute", I'll get a hash like "qe++n1dD6nx33wPuHE/PxnkTO1s=" when converted to Base64. If I see "qe++n1dD6nx33wPuHE/PxnkTO1s=" in a password field, then I now know that your application uses SHA1 as it's password hash and that your application doesn't salt (and hopefully pepper) user passwords. After that, I can just run my racks of GPUs against my copy of your database until I've found as many passwords as I want.
Does a user's password which is made of a randomly generated string require more work to recover? Sure, but not that much more. No random generator in any programming language is truly random, and if I'm a real threat as a hacker, then I know the most popular password generators and how they generate passwords, so I can create (or use) lists of probable passwords as part of my cracking routine.
Apologies if I'm coming off as a know-it-all - that's not my intent, nor am I any sort of expert. This is just stuff I have to be aware of and guard against as a software developer, and I generally assume it's better have some idea how stuff like this works than not.