Hacker News new | ask | show | jobs
by MattBearman 4823 days ago
Thanks for clarifying, good to see you're using a decent hashing algorithm :)

I'm still a little unsure of how you are able to know some users had their password compromised. Is it a simple case of finding successful log in attempts from the same IP address as attack?
1 comments
kpumuk 4823 days ago
Compromised != Hacked. To clarify: no accounts were accessed by the hackers, but small amount of account records have had passwords encrypted with outdated algorithm (basically SHA1 + salt), so we preemptively reset their passwords and sent out emails to all affected users.

This is how we define "compromised" - people which had their passwords hash with old algorithm, which is relatively easy to crack.

link
zwegner 4823 days ago
This seems to imply that many of (all?) the emails/encrypted passwords were leaked, but you don't consider most of them "compromised"...
link
sakai 4823 days ago
I'd like to echo this concern -- were all emails/encrypted passwords leaked, but you only consider those protected by outdated hashing schemes to be compromised?

If so, I feel you have an obligation to alert ALL of your users.

link
hackerguard 4819 days ago
Additional question: when did users first alert you to the hack?
link
pixelcort 4822 days ago
For the future, I wonder how useful it would be to run old hashed passwords through a newer system such as scrypt. This way those users who haven't logged in in awhile could also benefit from the safer hashed passwords.

    scrypt(hmac_sha1(password, salt), salt, cpumemargs)
In the future, you could even do it again with more cpu and memory requirements for scrypt, upgrading older users' hashes again with another run of scrypt.
link
nikcub 4822 days ago
that is a weird definition of compromised.

is it true that all, or greater than 1% of, emails and hashes were dumped?

I find it hard to believe you migrated 99% of passwords to a new scheme. I've never seen over 60%, and that is with a lot of prompting to users (and as as Scribd user i've never been prompted)

link
zwily 4822 days ago
The migration can be transparent, since the app has your plaintext password when you log in.

Alternatively, stored passwords can be upgraded by using the new scheme on the hold ashed password, and storing that that's how the password should be checked in the future.

Since not everyone was migrated, I'm assuming they went the first way.

link