Post-It notes are excellent for back-up. 
Wait a minute. Straightdope shows that I use an old yahoo account to communicate with the Staightdope. I do not have Yahoo set up on my phone to pop up messages as its a junk email account. How did I get this message? From Tapatalk perhaps?
This is the straight dope. I guarantee there are people here who *are * hackers, and people who are experts on VBulletin security.
This is odd… it is not allowing me to reset my password. Every time I try, the screen sort of… jumps… before I have it entered fully and says the password does not match toe one on record. What’s going on??
Or just blert them out to all the people you know.
The number of times a colleague has told me their password before I could finish saying…
“DON’T tell me your p…”
You dukey butt!
No, that wasn’t me!
wait a minute…
Did you try to do it directly from this board, or from the link in the email everyone seems to be getting?
I looked up the password storage in vBulletin 3 and everyone really should just assume their passwords are public knowledge at this point. Their hashing method is: MD5(MD5(password) + salt), where the salt is 3 random characters. I’m not particularly well-trained in crypto and I can spot 4 mistakes with this scheme: 1) the salt is small (and, as G points out, probably available to the hackers anyway), 2) the salt is appended (as opposed to prepended) to the final hash input, meaning that you have to do very little work to calculate all salted hashes for a given password you want to test, since the salt only provides a small delta on top of something you’ve already computed, 3) the salted string is not the raw password, but the result of a previous hash, which limits your input keyspace, 4) two rounds of MD5 is really not anywhere near up to snuff these days.
I’d just like to say thank you to Cecil’s crew for the prompt notification.
Ha ha ha!! That’s what I just finished doing! 
If the administration doesn’t mind saying, how far did the hackers get? Did they just manage to discover a vBulletin exploit that let them generate a dump of the user table via HTTP, or did they actually get logged into the machine and access mysql directly?
Ditto. Can anyone offer a rebuttal?
Well, yes, but obscurity should still be a component of security. It’s of little use in this particular case because everyone knows what vBulletin uses, but in general it is still good practice to say as little as possible about your specific security design.
From the article you linked to:
And as a user of a hacked site, don’t worry about trying to determine if the site’s security was good enough to prevent your password from being compromised. Just assume your password is now known and change it immediately. It’s probably a safe assumption.
Best guess: you have the password stored in IE/Chrome/FF/whatever, so you type in your username, hit tab, and then it autofills your password, except that it’s happening slightly slowly and you’re already hand keying your password by then. So under the dots it says something like PasPasswordsword and of course that is not going to work. Try just putting in your username, hit tab, and wait a second to see if your password autofills.
It’s like saying “storing your money in a bank is like having all your eggs in one basket, that’s why I bury mine in random places in my backyard.”
The analogy may be factually true, but it doesn’t mean the analogy is a useful one. Password managers are thoroughly vetted, and are as secure as it gets right now. (short of a cumbersome manual one time pad system or a physical dongle of some kind, neither of which are terribly convenient). There may be holes in a password manager, but they are certainly orders of magnitude smaller than the holes in whatever system you are currently using. The folks behind them have zero access to your actual password.
JSexton, IT security professional
Wow. I wonder if this is related to the problems we’ve been having? Good job on the admins for telling us. Much better than A… certain company.
I’m also surprised. I knew we were among the top for certain Google searches, I thought there would be more popular, less secure forums out there than the SDMB. I’m almost flattered.
According to my little stats page, it has been almost two years since I logged in, but I have dutifully changed my password as instructed. I fear that even this brief visit will suck me back into SDMB quicksand and I shall waste way too much time here once again. (Sooo, how’s everyone doin’???)
No, it’s absolutely true that it’s storing all your eggs in one basket, but then again, the idea is that it’s a more secure basket than some random forum software written eons ago in internet years.
My primary concern when it comes to password managers is that I don’t necessarily trust anyone else. Not that I think LastPass is out to steal my passwords or something, but they could themselves have a security breach that exposes all their user data – which is stored on their servers. Now, they allegedly take care to prevent this by (supposedly) having all of your data encrypted by a unique key client-side before sending it to their servers, but I don’t know for certain that there aren’t holes in their scheme.
On the other hand, folks like LastPass and 1Password and KeePass and a handful of others are working pretty hard to make sure they’re a safe place to store your passwords, which is a lot more than you can say about most websites.
ETA: I should note that of these, I know KeePass doesn’t actually store your data (or at least it’s optional if they do). Your encrypted password database can be purely local and never leave your computer if you want. I just don’t like KeePass because their Mac version kind of blows.
I’m not talking about the people who work at the company that controls your password manager. I’m talking about the password that YOU use to USE the password manager. How impervious is that? And then, if someone gets the password to your password manager, can’t they then use it to get into your accounts?
ETA: Yeah, what spinky said.
I tried it both ways and it won’t let me enter ANYthing… it jumps when I try to enter the current password before it’s half in and says it doesn’t match the one on record.