UKH

I got asked to reset my password due to a possible data breach when I came on this morning. What's the score?

Sorry, there was an error in the code that showed that message to people that hadn't updated their password since last year. You didn't need to update yours but thanks for doing it anyway.

So just to confirm - there has been no data breach. I use the same password for UKC as I use for most other sites where I don't share sensitive personal or financial information. It's just a great deal simpler.

Many thanks

Martin

There's been no breach since the one announced last year: https://www.ukclimbing.com/news/2020/10/ukcukhrockfax_server_attack_-_infor...

Thanks for the information and re-assurance that there isn't a problem.
However, to be on the safe side, I've changed mine from 'password' to 'password1'

One of the changes we've made since last year means you can't actually do that

I appear to have out clevered myself... 🙄

Cool ta

Well I've just changed my password to agdifGrsl1846@#;djtg. Try hacking that!

Just let me take a peek at the spreadsheet where you store it, then I'll have a go.

My little book uses veiled speech to describe how to construct the lengthy sequences - but the references needed to be understood are veiled references to stuff buried deep and very obscurely but quite unforgettably in my personal history - good luck with that

My approach, until I gave up because of all the bullshit rules websites seem to add was VERY long passwords, all lower case English occasionally mixed with Greeklish, forming completely surreal sentences involving what the password is for. Impossible to forget because of how batshit insane they were and the website name being the reminder, and ridiculous entropy even with a dictionary attack, with 40 characters forget about it. Nowadays it's all randomly generated passwords in my password manager (which itself has a password like that) and even then it's incredible how many websites reject them for some moronic reason.

Unfortunately, even a 20 char password hash can be broken now.  you can rent hardware that will crack it in just a few days / weeks - even with several iterations of the hash ( which I'm sure our security conscious friends at ukc would have done ).

The age of the password is pretty much over ( when that password is stored as a hash ).  Its all about side channel access ( eg, your mobile) and true cryptographically secure keys (rsa / elliptic curve, etc).

[Citation needed]. Depends on the hash used and whether it's salted.

Edit: that said, authenticating everywhere via asymmetric encryption keys would be far less of a clusterf*** than needing password managers to generate unique passwords everywhere...