Techradar user database leaked - Time to change your passwords again..

[Rob_B]

*Sigh*

Another one chaps, you know the drill by now.

Important update regarding your TechRadar account

It has come to our attention that TechRadar's user registration database has been compromised. Unfortunately, user details including username, email address, date-of-birth and encrypted passwords have been stolen in the process. We are not aware of any misuse of this data but are taking action today to alert users as soon as has been possible.

Our IT team launched an investigation immediately and has identified the cause of the problem and taken action to rectify it. The forums have been closed and will remain closed until we are satisfied that there are no further issues and the forum can be safely restored to service.

In the meantime, although your TechRadar password is encrypted, we are contacting you today to let you know that if you use the same password on TechRadar for any other websites then we strongly advise you to change these passwords immediately.

We will contact you again shortly with instructions on how to update your password details for the TechRadar website.

We take the security of your data extremely seriously and we apologise for any inconvenience caused.

Yours faithfully,

Nick Merritt
Publisher, TechRadar

I did have two emails from Windows Live giving me a code to use for a forgotten password a couple of days ago, guess I know why that was now!

[Agent]

n the meantime, although your TechRadar password is encrypted, we are contacting you....

Do they actually mean hashed? and if so, were they salted?

Last.fm said the same thing - encrypted when they meant hashed without a salt. Big difference.

[iamlorro]

For those who think salted isn't as good as peppered, an explanation is here:
http://m.lifehacker.com/5919918/how-...-doesnt-matter

Apologies for mobile site link...

[CAT-THE-FIFTH]

Why am I thinking of steak and chips when all these password threads come up??

[finlay666]

For those who think salted isn't as good as peppered, an explanation is here:
http://lifehacker.com/5919918/how-yo...-doesnt-matter

Apologies for mobile site link...

Remove the m. for the regular one

And to outgeek you
http://www.troyhunt.com/2012/06/our-...o-clothes.html

That shows how quick even a salted sha1 password can be brute forced with a new GPU (uses the .Net standard membership provider but the principle remains for how easy it is when the hashing algorithm isn't up to scratch)

In fact in the time it takes to watch a couple of episodes of the Family Guy, we cracked 24,710 hashes or 63% of the total sample size. The remaining 37% just simply weren’t in the password dictionary but a larger dictionary and perhaps sitting through the Lord of The Rings trilogy and the rate of success would be a lot higher.

[TooNice]

Last.fm said the same thing - encrypted when they meant hashed without a salt. Big difference.

Last.FM was compromised? :/

Ah bugger. Is there any way of locally check if my password is on the list? I do not feel too comfortable using a tool like this: https://lastpass.com/lastfm

Another question.. How hard is it for webmasters to update the hashing functions as time / computing prowess / discovered weaknesses render previously solid functions obsolete?

[BobF64]

Another question.. How hard is it for webmasters to update the hashing functions as time / computing prowess / discovered weaknesses render previously solid functions obsolete?

Depends on the products they use, in theory its easy, but everyone has to reenter their passwords as hashes are one way.

[Bagnaj97]

Password length is key. Take your average short but easily memorized password, hash it and use the result as your password. For example if your password is hunter2 (fairly easily brute forced even if hashed and salted)

echo hunter2 | sha1sum -t

returns e0fee1adf795c84eec4735f039503eb18d9c35cc. If you use that as your password then it's hard to brute force due to length, but easyish for you to retrieve, just as long as you remember your base password! Of course if it's stored as plaintext then all bets are still off...