Monday 12/17/2012 by sethadam1

PHISH.NET STEPS UP SECURITY

They say 80% of passwords on the internet are "weak" passwords. When sites use annoying guidelines like "you must have an uppercase character, a lowercase character, a number and a special character," it's not because the webmaster was feeling cruel and abusive and all powerful, but rather because he or she was trying to protect his users. Gaining access to a website with weak security is trivial. You want to protect your users' data, including their password, which may be their key for other websites too.

So here's your security 101: when you store data in a database, step 1 would be storing a password. Storing a password as plain text is not very secure and would certainly be problematic if someone unauthorized gained access. So to combat this, developers encrypted passwords. But passwords that can be decrypted are equally problematic, anyone who could get them could certainly decrypt them. So developers changed to one-way encryption: encrypt it, and then when you give me your password, I'll encrypt it again and see if it matches! Brilliant!

But computers got faster, and thus were born "rainbow tables." Essentially, hackers would start generating encrypted versions of dictionary words, common passwords, and other phrases, and these encrypted strings are known as hashes; when you got a list of encrypted passwords, you could compare them to your list of known hashes. Brilliant!

So developers struck back with "salts." Add some random stuff to the beginning or end of the password and encrypt it, thus rendering rainbow tables null and void. Unless, of course, someone gets your salt. Then what? You can't even decrypt the passwords yourself to re-encrypt them with a new salt. You have to force everyone to change their password.

With the not-too-long-ago release of some compromised passwords from a fellow Phish site, we decided to bump up our security efforts. Phish.net used to utilize a mix of SHA1 and MD5 encryption, fairly common cryptographic hashing functions. The challenge with these is that they are very fast - a computer processor can compute these hashes in microseconds, enough that one could hit a login form 10,000 times per second and just run through the dictionary. Knowing that weak passwords make up 80% of the accounts out there, just knowing usernames - something one could easily pull from, say, our forum - you'd probably be able to gain access to at least a few thousand accounts.

As a result, today, we switched to bcrypt for encryption. bcrypt is very slow (in computer terms). In fact, we actually slow our implementation down further. In other words, it still only takes a fraction of a second, far too little for a human to notice, but enough that a computerized attempt to gain access would be hindered by how long the response would take. The automation of such an action is severely handicapped by this slow encryption. Converting a list of the passwords from our database into something usable elsewhere would still be a mammoth task.

On the flip side of this, what if someone just keeps hitting your site trying to login? To combat this, on Phish.net, we implemented "rate limiting" some time ago. Too many failed attempts and the login process won't continue.

How can you take advantage of this? Simply login to Phish.net. The next time you login successfully, your password will be automatically converted to the new encryption.

If you liked this blog post, one way you could "like" it is to make a donation to The Mockingbird Foundation, the sponsor of Phish.net. Support music education for children, and you just might change the world.


Comments

, comment by Icculus
Icculus Adam, I cannot thank you enough for your ongoing and enormously important contributions to this site.

Wishing you and your family the best this holiday season,

charlie
, comment by Harpua418
Harpua418 Thanks for looking out for the users!
, comment by ZapRowsdower
ZapRowsdower I was hoping it would be llamas equipped with blastoplasts, but this computery stuff will do.
, comment by johnnyd
johnnyd Good lookin out, @sethadam1! Continued thanks for everything you do!
, comment by MiguelSanchez
MiguelSanchez if you're ramping up security, i would make a great bouncer!!

but seriously...

thank you @sethadam1! i saw that post with all the usernames/passwords. i'll be honest with you, i'm not very computer savvy, and it freaked me out. hell, you are computer savvy, and it looks like it gave you serious enough concern to make a change. by the way, good write up on the rational behind the security increase. simple enough that even i understood 75% of it!

you admins have a great holiday. i hope you all have your msg tickets and are looking forward to four burly shows in nyc!!
, comment by MiguelSanchez
MiguelSanchez @ZapRowsdower said:
I was hoping it would be llamas equipped with blastoplasts, but this computery stuff will do.
@jaydubya... always delivering the goods... love it
, comment by uctweezer
uctweezer Nice work dude. Just out of curiosity, which fellow Phish site was compromised?
, comment by jackl
jackl @uctweezer said:
Nice work dude. Just out of curiosity, which fellow Phish site was compromised?
I'll give you one guess :-)

Thanks, Adam, for all you do! You rock! Have a happy winter solstice holiday whatever you celebrate and a joyous new years run, everyone!
, comment by uctweezer
uctweezer PT? I didn't see anything about it. Curious to see if my L/P were leaked.
, comment by Phlat_Brim_Kid
Phlat_Brim_Kid Thanks @sethadam1 Keep up the good work bro!!!
, comment by Ian_cman
Ian_cman Thanks to @sethadam1 and the team for looking out for .net's security.

If only the VA would stop losing laptops with my information on it I would be set.
, comment by Jimmymac03
Jimmymac03 What could be gained by hacking our Phish.net info other than maybe a shot at the password working somewhere else as well? Anything?

Either way, thanks, of course.
, comment by forbin1
forbin1 Thanks again @sethadam1 for making this a cool place to hang out..
, comment by dyn0mite
dyn0mite Thanks .net. Remember fans the safest password is at least three words, each separated by a period. Number and capitals don't do that much to prevent someone who knows what they are doing. Logic can be found here: http://gizmodo.com/5829453/why-that-fancy-password-isnt-nearly-as-safe-as-you-thought
, comment by uctweezer
uctweezer @jackl said:
@uctweezer said:
Nice work dude. Just out of curiosity, which fellow Phish site was compromised?
I'll give you one guess :-)

Thanks, Adam, for all you do! You rock! Have a happy winter solstice holiday whatever you celebrate and a joyous new years run, everyone!
So... was it PT? Or .net?
, comment by MiguelSanchez
MiguelSanchez @uctweezer said:
@jackl said:
@uctweezer said:
Nice work dude. Just out of curiosity, which fellow Phish site was compromised?
I'll give you one guess :-)

Thanks, Adam, for all you do! You rock! Have a happy winter solstice holiday whatever you celebrate and a joyous new years run, everyone!
So... was it PT? Or .net?
well... it wasn't .net
, comment by Gallium
Gallium This site has blown me away through show stats, an amazing forum both simple in interface and loaded with features, and extremely well conceived databases.

It is totally not surprising to see such a major security upgrade implemented as a real time response in a user friendly way.

We are pretty lucky to have this kind of talent in our community. Thank You!
, comment by uctweezer
uctweezer @MiguelSanchez said:
@uctweezer said:
@jackl said:
@uctweezer said:
Nice work dude. Just out of curiosity, which fellow Phish site was compromised?
I'll give you one guess :-)

Thanks, Adam, for all you do! You rock! Have a happy winter solstice holiday whatever you celebrate and a joyous new years run, everyone!
So... was it PT? Or .net?
well... it wasn't .net
It sure doesn't seem like it, but I am curious to know if my password on another site has been compromised. And I can't find any other information about a leak...
, comment by uctweezer
uctweezer Nevermind, looks like maybe one person on PT got hacked. No leaks AFAIK.
, comment by _emil
_emil All this talk about hashes and salt has me craving some diner food. Great work Adam!
, comment by dirtydave420
dirtydave420 If some one wants to hack my phish.net account and steal my stats, then, they are welcome to it.
, comment by jackl
jackl The problem is if you're a lazy person like I used to be and used the same password on everything but "important" sites like my bank.

One morning I woke up and read a message that a new computer had logged into my FB account from Chicago, and an hour later, someone from Russia logged into my gmail, mac.com, changed the passwords, wiped out all my email, and started sending everyone on my contact list some email about "send me money, I owe some hotel in England money and they have my passport and i can't fly home". That's because someone got hacked, got my email and old password, and figured it would work on my other accounts. It did.

I got my accounts back by quickly contacting the providers and using the "got hacked" authentication site with the secret security questions. Never did get the wiped out mail back. And if you don't do that the first few hours, you're screwed, there's no way of ever getting those user names back and gmail et. al don't even have anyone you can contact and talk to about it (read forums on this). Luckily I got up at 6 am that day and the hack had only happened a couple hours earlier.

Now I have a different random strong password for every account, generated and tracked by a program called 1password. $50 but worth it.
, comment by mandyhou1
mandyhou1 Please watch to watch a good blue resin / silver seat sports Sun beauty. It is a good size that can be carried out carefully dial. I work INDIGLO. I disappear after 3 seconds. I have shown a significant improvement compared to the light source using a small keyboard.burberry sports watches I recently, 1BVCF AE1000W keyboard bought a digital sports watch black and white. Advantage, I am also Timex keyboard so you can easily find the Timex-time control of many of them.It's easy to wear this watch is very practical. Screen, and improved life line is very large. Travel to another time zone, in the heart of this second option, I know you can easily switch the display. The only drawback is that the light for a few seconds.burberry gold watch Group is safe and comfortable. The face of the watch is a very strong scratch. Some people function better (INDIGLO illuminationand alarm clock, stopwatch, etc.) such that the show! ......In the first watch I have owned this, because it is used in a variety of buttons, I have the time to read comfortably manual.It. Dual Zone function of time is my most favorite! Love the table. Prices are very reasonable. Excellent retention time.burberry men watch There are no scratches reliability, easy. Defeat. It is nice to work with. Check the time in the dark, I like the brightness. Easy-to-read large numbers.I can not go wrong if this price. Wearing a Timex 1440, in general, I have to stop working our mistakes and still my husband. With a couple, I am his third.watch burberry men I will be larger this number can be very comfortable to read the feelings of like a rubber tape. For several years, earning this screw is to replace the battery.Both regions, the keyboard has the advantage of multiple time zones, but has fallen into (330,165 " ;) T Double Layer keyboard Timex, If you do not have a point of how divers run horizontally?burberry sport watches It is the buyer actually super resin wrist relax very dark gray, Casio.Love black that, you know. Another, all desires and needs.It was delivered very quickly. It is very easy to set up and use and. Still, watch.Initial large set every day, his unlimited power Su~iun'nun Casio.burberry watches men I mines within three years and I love it. I do not expect at the end of the day, in the very hand, and can be obtained in the course of six months or more to make my Timex cars.I we are dependent on the working conditions Chin fake. I will keep the perfect time.It is not clear, I do not care with Bikaxiou Timex wrist more comfortable, especially. That is strong, I do not know the impact, the keyboard Timex. However, when viewed in consideration of about 2 hours of the same price, I prefer the keyboard.burberry watch gold It sounds simple does not wear a watch that I have seen so I watch.Exactly. Good behavior is a feature-rich. Oh, yes, very good prices start!Please buy a specialist (Golf Shop). Ned is easier to be able to read the digital clock. This watch has all the features I need. It is a good value. My husband and roses. If you lose the brakes and I scratch this, the army, he did nothing you want to watch cheap.burberry watches for men When she is not in violation of lasting value for the fourth year of my daughter's just really good, and I taught her was amazing :) give this table.kmr73l2hvj
You must be logged in to post a comment.
Support Phish.net & Mbird
Fun with Setlists
Check our Phish setlists and sideshow setlists!
Phish News
Subscribe to Phish-News for exclusive info while on tour!


Phish.net

Phish.net is a non-commercial project run by Phish fans and for Phish fans under the auspices of the all-volunteer, non-profit Mockingbird Foundation.

This project serves to compile, preserve, and protect encyclopedic information about Phish and their music.

Credits | Terms Of Use | Legal | DMCA

© 1990-2024  The Mockingbird Foundation, Inc. | Hosted by Linode