By our host, we staff (myself, especially) failed big time, hasd not brought SMF up to speed fast enough and had not pressured *good* PWs enough...
I would guess that if they went after any password they could crack them. Of course the more convoluted the password the safer it is.
While right with the latter, I think we stil suck (and I mean *suck*, capitally) with the first: You cannot, as average hacker - not talking FBI, NSA or affiliates - crack a good
PW "just like that".
Problem is that even I can crack 50% of the passwords on our site without much effort, want to know how many members have "password" as password? 3 of 200..., says it all. I also tripped in my tests over 31 (of 260 overall tested) PWs that use their user name in reverse as PW, how not to find out in 0.1 sec for a hacker? (First try: "username"/"password" in all combinations, 2nd try all usernames visible with "password" as PW in all combinations, third try visible usernames with "reverse username" as PW, takes less than a seccond to try out with 200 members...)
OTOH, hacking them simple members is not the prob, hacking a member with admin rights, is, and truly so: With admin rights you have access to the database, i.e. all emails of all members
(and it seems this table has been dl-ed on other sites by the same hacker, though our logs dont show anything in this respect, assuming for the moment that we were saved by the inherent sec features we have been building up over the years). Problem is that there is almost always a user with the username "admin" on forums, as that is the standard first UN handed out, and hence also the first target try for hackers, 99% success rate...
In any case the security we have for the site seems to have done exactly what we wanted it to.
It did, but it was not *our* security but *the hosts* ones.
Again (I know I am repeating myself for the umptieht time and tiring everybody, talking to a wall here, but these thing *are* important and will be *more important as we advance in time), while we ppl here try our best, this time the praise is only and all owed to our host (hostsuar.com), we staff ppl missed the attack and any responses completely, had they not alerted us we wouldnt even know about the hack. *They* caught it, and *they* fixed it, myself I was only aware of the attack 10 days later (as you all know I am not around here as often anymore). My personal belief is that only less than 1% of hosts available on the net will do that.
Thanks for everything you guys do to keep the site safe.
We try (e.g. by finding an excellent host), but also every pecuniary contribution should help, these guys cost (not much, less for what especially *they* are doing for us, but in the end it has to be paid somehow, talking some 200+ Euros a year here), any contributions welcome: See "Support WaT" on the front page.
Personally, I think all money we spent so far has proved to be the right investment (I know that ppl here feel that we should have an English speaking host, but the way they treat us I have never seen with any host before, whatever language, and they understand enough English to be of more help than any US firm I know).As far as the pure tech data goes
, PMs are on the way, we have the whole thing deciphered by now.
So are we safe again?
Didi the one responsible changed his pasword?
, and No
, PMs on the way to deal with the Lessons Learned.