I just changed my password. The old one wasn’t used elsewhere, and certainly not for my email.
All passwords at the Dope since the solstice of 2013 have been lightly sautéed in truffle oil over a bed of artisanal arsenic and sprinkled with unicorn down before being placed in a nitrogen foam canister and squeezed onto individual crisps of quadrotriticale.
At least that’s what Ed told me.
Is it compatible with VBulletin? Would they be able to transfer the entire message archive to the new software? Would links to other posts still be guaranteed to work?
If it ain’t broke …
I first thought the e-mail announcement was a phishing e-mail because it contains two links purporting to point at URLs at boards.straightdope.com and www.straightdope.com, respectively, but really pointing at URLs under click.suntimesmail.com - this kind of thing usually is a hallmark of phishing.
The email I got about this displays a different URL than what it links to - that usually screams Phishing. What’s with that?
Link shows - [noparse]http://boards.straightdope.com/sdmb/profile.php?do=editpassword[/noparse]
Link actually points to - [noparse]http://click.suntimesmail.com/?ju=fe2015787d600d7e751377&ls=fdcd15717266007d7210747665&m=feef1178706c02&l=fe8f17767d64017474&s=fdf61571716d017b75157873&jb=ffcf14&t=[/noparse]
Also, having changed my password - what’s to say it won’t happen again?
So would the hackers. Publicizing this information isn’t a good security practice.
Exactly. I cannot emphasize this enough: USE A PASSWORD MANAGER. I use LastPass, and it took me 30 seconds to get and save a new password for this site. And since I use a different password on every site, I don’t have to worry about anywhere else being hacked.
Note that this is not a shill for LastPass. I understand Roboform, KeePass and others work just as well.
Ditto. If it was chicagoreader.com I would’ve believed it. But suntimesmail made me VERY suspicious.
I’m still trying to change my password directly, WITHOUT using that link.
Good for them! Well done, boys! You got me!
So when exactly did this take place? I literally changed my password last night, is it at risk?
Interestingly enough, I had some unauthorized charges from WalMart (which I haven’t ordered from in a few years) show up, prompting me to change passwords pretty much across the board yesterday.
A WHOIS search for suntimesmail.com revealed that it is owned by the Chicago Sun Times, Inc. In other words, it’s legit.
Check out this really interested Wired article on password cracking. Salting helps a little, but not nearly as much as it used to since they’re not using rainbow tables any more, they’re brute force attacking using GPUs. (Also, I believe vBulletin stores the salts in the database in plain text, so if they got the database, they got the salts as well.) The success rate in that article is pretty astonishing: they cracked some seemingly strong passwords in minutes.
The biggest problem with vBulletin’s security is the use of MD5: you want something that takes a lot longer to process (relatively speaking), e.g. SHA512 with a bunch of iterations. It might take each user a second longer to log in, but it will reduce the number of guesses the cracker can make by several orders of magnitude.
I guess now’s my chance to post something jerkish and claim it was really from someone else who hacked into my account. 
done 
Neither is security through obscurity. I guarantee you any would-be hackers already know far more about vBulletin password storage than anyone here.
I’ll second the use of a password manager – I recommend DashLane. It’s easy to set up, it will automatically grab all your stored passwords and guide you through changing them to something more secure. And they have relatively good apps for mobile devices, in addition to a good web interface and their main program.
I would never use a link in an email to change a password. It’s easy enough to just go to the site as you normally would and change it. Took two minutes tops.
Mr. Briston, please return to the Customer Service Desk. Your new excuse is ready for pick-up.
I can’t help feeling like using a password manager is storing all your eggs in one basket.
Niether would I, but I always have a look at what’s ‘underneath’ any links in emails I get that I’m even slightly suspicious about.
Correct, you’re OK to follow the links in the email.
But I note that this level of paranoia and verifying links in emails is quite healthy and a good practice to follow for everyone. Just get in the habit of taking the few extra seconds to type in a URL no matter how it looks. The dangerous ones are links with a subtle misspelling or things like switching a lowercase l and uppercase i, and you are likely to miss that with visual inspection.