UKH

UKC/UKH/Rockfax has experienced an attack that has possibly resulted in a breach of data. We have outlined recommendations, along with some more information on what happened.

Rockfax hacked?  Did they try to change the grade on Three Pebble Slab?

Those are good comms. We know: what happened, when it happened, why it happened, what you are doing about it, what users should do about it, that card data is safe and the Information Commissioner has been informed

Some companies, with huge pr teams, could learn from that.

Thanks for the heads up. Not an ideal situation, but these things happen and the damage seems limited and your communication about the issue is refreshingly good.

Thanks for being so open about it.

Does this explain the Great Barrington chatbot scandal?

Just the spur I needed to use a password manager. Life was becoming difficult to remember all my passwords in use. So thanks for the prompt.

10/10 for the clear open explanation of the problem and giving it the prominence it deserves.

Or the BMC maybe. 

"If you have used your UKC password on other sites, we strongly recommend you change these. We would also suggest using a password manager to ensure you use a unique password for every site."

No doubt I'll be shouted down by the resident sycophants, but there's a certain irony in being offered security advice in this context.

A shame there is not a third button option, "ignore"...

Will I get a free E6 tick as compensation for the data breach?

LOL

An email might have helped though.

How many users are only going to find out about this when they next visit the site next week? 

The story is now 4th in the news items on the home page.

Have changed password on UKC, but now not able to login on Rockfax android app?

Cleared cache and storage but no use?

Hi Robert,

Sorry about that. We're taking a look at this now and will be back with you shortly.

Regards,
Martin

Ouch! Good luck with the mitigation. 

Good communication of the breach. Concise, detailed, technical enough, if only that was the norm... And you were pretty upfront about it, unlike e.g. Garmin (of course, I know it's a different story, theirs was a corp ransomware infection and they probably had to pay a hefty ransom, even though everybody denied it later).

Only thing missing yet is an e-mail to all, not everybody checks UKC homepage so often, but I guess that is in the works.

I hope the competition system review finds some satisfactory solution. I imagine the address requirement was to prevent "farming" of the comps with multiple accounts, but that could still be circumvented by virtual addresses and post forwarding services, unless you filtered those (though that would exclude some UKC members abroad, unwilling to provide e.g. a friend's UK address). Still, address requirement and storage (especially connected to e-mail) is a risk today. Perhaps using something like OpenID to prevent farming? Although I have no idea how secure it is actually.

If you mean it sincerely, as in it would be useful to remind new users right on the registration screen to "use a password manager to ensure you use a unique and strong password for every site", then yes, perhaps.

But a lot of users would just ignore any reminder. While you probably could require a truly random password (by some check for randomness), that could in itself disqualify these passwords that aren't mathematically random, but are still very strong and memorable like randomly constructed word phrases, and wouldn't guard against password reuse at all.

If you mean it ironically, sorry, then no. It is a standard reminder and a breach is actually the best context to be reminded to use it, since most people just ignore all the offered advice when creating their password the first time.

Not a sycophant I hope. BTW, do you use one? Just curious

Hi Robert,

The issue should now be resolved so you can try logging in again.

Apologies

Cheers,
Martin

Done and all sorted, " thanks"

Well done on an excellently handled breach.  Extra points for mentioning Troy Hunt.

To those of you looking to get a password manager, I can strongly recommend bitwarden - https://bitwarden.com/

Can this post be made 'sticky' for a week so that it remains on top of the forums and ensures maximum visibility for users?

T.

The hackers changed the grade of TPS! E2 6a for the onsight

If you're logged in and haven't updated your password since the announcement, then there's a big banner at the top of every page now asking you to update your password and has a link to the news post in it too.

Thank you for this information UKC/UKH peeps.  

Have changed my password now.  

Yes, that's in the works. We've been kinda busy the last couple of days sifting through logs and checking files on the server to sort it out. We'll be probably be sending over 90,000 by the time it gets sent so it'll take a day or so to setup.

What have you changed it too?

Yep, I can quite understand that!

For reference, that was not working at the time you posted this message. I have now reset my password so I can't check again, but I cleared the cache, restarted the browser etc. and there was no banner.

Yes, he has changed it. I've changed it too. 

Nope. No there isn't!

Well done.
What have you changed it to?

Password1234, that's what I use everywhere, what's yours?

That's the same as mine!
Think I might change it to PassWord1234 for extra security.

2totoototoo2. I find it easy to remember.

Stop being so perdantic, I made a simple error by hitting the 'o' key once tooo often... 🙄

For proper security, you should make it   PassWord12345   : the extra digit makes all the difference.

Yeah, sorted that. Cheers Alkis.

Aw, I'm only having a bit of fin.

Thanks for the information.
I've now done it for UKC and will change the rest of the sites I visit later on to be in the same format, etc. as I find just having the single password so much easier and convenient.
As you're obviously an expert on such matters, is it worth adding an extra digit for my Bank so as to make it different to the other ones?

So was I until you came along... 😀

Everyone's logbooks data been stolen?

Rockhax

Those with hidden logbooks must be concerned. Faced with the choice of paying the ransom emails, else risking publication of the sordid facts. 

I've changed my password but have lost access to the Rockfax App.  I can log in to UKC with the new password.

I get the following error message when I try to log in to the app: An unknown error occurred: -1016

I see there's a button to generate strong passwords on the password reset page, I wouldn't recommend using this on a site that's had a recent security breach.

The logbook database is close to 2GB now (8.2 million rows), they took less than 30MB as far as we can tell. I'm pretty sure your hidden logs are safe

Hi Tallie,

I'll drop you an email just now so we can get to the bottom of this.

Cheers, 

Martin

The function that generates the random string for the new password is only 5 lines of code. There is no problem using that although we'd recommend using a password manager to generate a random one as mentioned in the News post.

We haven't detected any additional or changed files on the main UKC or UKH sites but we're still going through them. The database was accessed via our https://advertising.ukclimbing.com/ sub-domain.

We've been monitoring outbound connections from the old server to see if they had left something behind but it looks good so far.

Wow, I remember when they first came out, they've certainly been a massive success! 

I reckon a fair few passwords could be cracked by brute force using a list of the owner's logbook and wishlists' entries though 😂 

Hopefully not a random string, that could produce a weak password.

It produces a 16 digit string comprising numbers, lowercase and uppercase letters.

A long, completely random, string is far more secure than a words list like 4 random words or something like that. These are attacked using dictionary attacks instead of pure brute force.

Try putting any of the codes that button generates in here for a quick example: https://www.betterbuys.com/estimating-password-cracking-times/

When you get above 10 random digits it's basically impossible to crack on currently available hardware.

Thanks for the clear comms, contrasts sharply to some much larger companies who hold significantly more of my personal data

For added security, I personally use Tooth-Factor Authentication alongside all of my passwords. I always ensure that I bite my device before attempting to login. 

Nice one for communicating this clearly and all that but, to be clear, this shouldn’t have happened and you’ve really let yourselves and your users down by allowing this to happen.

I, like many other users I’m sure, use the same password here as I do on dozens of sites, even systems that I use in my professional life and have done for years so this, to put it mildly, is a f*cking shitty thing to have happened.

'123456' and 'password' could be produced by random string generators, randomness does not guarantee a strong password. 

Why not go on such a password generator and see how long it takes? ⏱

Well that is interesting - 123456789 cracks pretty quickly, but add ! to the end and it becomes difficult. As is often the case xkcd has a thought - https://xkcd.com/936/ (attached, I hope)

Apocryphally, correcthorsebatterystaple has become one of those "lets try this" things along with xyzzy, birthdays, name of dog, children's names and 123456789

The very secure password Google generated for me. 

A 16 digit string with upper and lower case letters and digits has 47672401706823533450263330816 possible combinations.

There will be billions of potentially human readable or patterned strings n there but that doesn't mean that they're not secure and even though there are billions of them they're still almost comically unlikely at the scales of data that UKC is ever likely to generate. If there are a trillion "obvious" strings then it's still a 1 in 47672401706823533 shot that you'll hit one.

Regardless of how secure your password is, your data was still potentially compromised on this site due to server side vulnerabilities.

Why do so many posts in this thread say "hunter2"?

The hackers were most likely after email & password combos as lots of people use the same combo across many sites; the hackers will then go off and try their luck using that combo on more lucrative lucrative website logins (or sell the combo to other to do the same: pwned).

I know that my email and old passwords are out there on the dark web - regularly get spam emails emails telling me my email and an old password (along with some threat or request for bit-coin).

Was listening to a R4 program about web security, and the two main (easy) things users can do are:

1. Not use the same password across sites

2. Use two-factor (or multi) authentication if offered.

Various options to check if your email-password combo has been stolen. e.g:

https://www.avast.com/hackcheck/

This is a good video on what makes a strong password. He references that image.

youtube.com/watch?v=3NjQ9b3pgIg&

Is UKC actually registered with the ICO?

I have never found a registration for UKC/Rockfax.

I cannot think why it would be exempt based on its processing and purposes.

I'm still going to use this as an excuse for why all my really good climbs aren't in my logbook - hackers deleted them

Thanks for that - it is good. Even though I'm fairly happy with my approach, it is always good to get a refresher. It's interesting that my passwords for various sites that require a change every 3 months (appalling security) where I use a dreadful strategy for changing them are actually quite good. These sites usually have some dreadful criteria (eight characters and no more etc etc) designed by some dinosaur from 15 years ago and never updated to allow for "slightly" more powerful computers.  

I'm not defending Rockfax here, but shit happens, the Internet's a dangerous place, and even very well maintained systems can get compromised.

That is very bad practice, and is routinely advised against.

You shouldn't do this and you’ve really let yourself down by allowing this to happen.

Yes and no.

"The passwords in our database were stored in a secure format - salted and hashed in accordance with industry standards"

A hashed password uses a one way mathematical function. Although the algorithm is publicly available, you cant reverse it to get the password.

In this case the word dog, gets translated into that big long string below.

$ echo dog |shasum -a 256
b6d8423f6d3423aa233428ab590600486926cf3cd673ab5879d0d36e2dab2671

What the hacker will do is get a word list with tens or hundreds of millions of words, including lists of previously cracked passwords. They hash each word. When their hash matches the password hash, they know the word that created the password hash.

However, what UKC have done is salt the hash. This adds some extra info to the password, to prevent such attacks. In this case we've added 3ps=hvs++ as a salt. The string is the same length, but completely different.

echo 3ps=hvs++dog |shasum -a 256
45daff7fe76d207bf07ec62d8366cad800bb0c308c10f4c00ba4929215451eae

Generally speaking, one would only try and crack using a relatively short list. A graphic card can do millions of hashes per second. But you wouldn't try and brute force every variation.

If you really wanted to crack that hash, there are rainbow tables. Someone has already pre-computed hashes. You simply look up your hash, in their table. Hash tables get very, very big. A commercial one probably wont have all the available hashes for every ascii variation between 1 and 16 characters or more. A nation state, will do.

You can test that dog example below. Paste the hash into the green box.

https://md5hashing.net/hash/sha256

"After our server changeover earlier this week, the enhanced security flagged a suspicious file in the codebase on our advertising site. An investigation revealed it was malicious code (a backdoor) that enabled the attacker to access the UKC codebase and database."

Sounds like this exploit has been running for a while and only came to light because they moved to a server with effective security. I think that raises a red flag about the suitability of the existing security policy on UKC.

Agreed, this is a silly thing to do, though it’s only myself put at risk through my bad practice.
 

Ukc/Rockfax is managing other people’s data.

Yes these things can happen (though to my knowledge this is the only site I’m signed up to where it has) but when they do I think users may feel pissed off?  

Sorry if my immediate response isn’t to make jokes and laugh it off but that’s just not how I feel, particularly as the breach happened months ago and we’re only just finding out now.

My missus and I once had our identities stolen (not because of passwords before anyone starts!) was not fun at all.

My point wasn't really about the security as such, in part because I didn't want to write as much as you did (good explanation by the way), but more the daftness of saying "don't trust a random number generator because '12345' can be random."

It reminds be of my old boss you required a massve, 30+ table DB lookup to do uniqueness checks on guids before we attempted DB writes even though we pointed out that the best way to check guid uniqueness was to assume they were unique because it's more likely that a glitch in the collision check happens than an actual collision.

Nobody's laughing it off. And the gap between initial breach and detection is not unusual - look at recent high profile cases

If you are seriously exercised by this incident, than of course you should make an official complaint to the ICO - further moaning here is futile.

Yes, some old sites limits are just awful - and possibly a security risk in itself.

Once I accidentally broke a new modem from my internet provider just by changing the default "admin/admin" password. I never thought I'd ever see a buffer overflow from a pretty normal password length of something like 24 characters! The buffoons from my ISP shipped "new" modems with years-old firmware, depending only on online FW update once it got connected (yes, the problem was patched out it later FW). Unfortunately, the first thing to do with a new modem is of course to change the default password before it ever connects to the internet, which I did and nearly bricked it...

For a long while I used to make unique passwords based on all lower case English. *Very* long, very surreal, word playing on what the password is for and usually offensive too. Xkcd style passwords on steroid basically. It was a game I loved to play with my brain, being surreal nonsense I could recall them well. Someone might think that a dictionary attack would be helpful here, but I would *love* to see a dictionary attack succeed on 50 character long passwords and even a phrase dictionary wouldn't come up with that shit.

I gave up and got a password manager after practically every website started trying to enforce entropy via other means, these super long passwords become impossible to remember if you have to start inserting numbers and symbols in them. Also, it is really rather surprising how many systems enforce a maximum password length, which is a bit of a WTF.

Also, banks and their stupid crap, use a good password and *good luck* working out what the second, fifth and sixteenth character is in it, it's as if they want people to use crap passwords.

Yes, I hate that "bank" crap! The worst was in my last corp job - some dumb "IT" manager ("IT" in quotes since he obviously didn't understand anything of it) trying to climb the ladder enforced password changes every two months. I couldn't believe it. Guess what, everybody just started to use really shitty passwords or post-it notes...

A password manager with truly random passwords for each and every website and one random phrase as the master password is probably the best now. With two factor authentication. Good 2FA systems let you keep one time pad recovery codes in a secure location (physically printed, preferably), in case you ever forget the master password or lose you phone or whatever token the 2FA system uses.

Bear in mind that the hackers had access to the codebase as well as the database, modifying code files would give them the passwords as they are typed in when you log on - ie before any hashing function has been performed. 

I've been wondering that as well. 

How does my password show up?  It's "supersekritpassw0rd"

This didn't happen. They uploaded a file on 28th July to https://advertising.ukclimbing.com/, accessed it for less than an hour and the file hasn't been accessed since. There was only a small amount of data transferred but the amount is consistent with browsing the filesystem to get database credentials, finding the user database then downloading name, email, hash and salt. We been monitoring outbound connections on the old server incase a rootkit was installed and it looks clear. We have a log that records changes to the filesystem each day that we can go through to check what was changed and when. There were zero changes to the codebase for UKC and UKH from all the checks so far.

If half of what your speculating above had happened, this announcement would be very different. We are doing it out of an overabundance of caution. I am 99.99999999999999% sure the password hash they [could've] got from this breach for my password will never be cracked. It would take thousands of years to crack on the latest hardware.

Interestingly, over the summer something in Chrome told me to change my password any time I went to a site where the password I'd used was the same as UKC..  so I guess Google somehow knew about this way back? Unless that was unrelated (I can't remember the date it started doing that)...

Worth checking your email on https://haveibeenpwned.com/ or https://www.avast.com/hackcheck/

These are good tools and worth mentioning. Even though you might be following today's best advice and practices for years, you might have been pawned a decade ago on some obscure little forgotten forum you can't even remember now, back when the approach to data security was much more laissez-faire.

However these sites still don't report the breach, not even in their RSS feeds and lists of breached domains (to explain - that is different from searching them by your e-mail address, as the login e-mail must have been already leaked publicly in some pastebin or darknet forum for HIPB to register it, while a website can notify them of their breach and it will appear in a list of breached websites, without disclosing to HIPB any list of user e-mail addresses, as that might itself be obviously "in breach" of GDPR or other UK privacy laws relevant now, if there are any left...).

Since HIBP is used by Firefox's Monitor feature to warn users of possible breaches (although not sure if they do check by the visited domain as well or check just for matching leaked e-mail addresses, I haven't looked into the API exactly), have they been notified as well? Thanks

word!

especially heartening: reviewing what data is saved and whether it needs to be saved. that’s just nice to read in an age where everybody hogs all the data they can get their grubby fingers on.

Thanks for being so clear in communicating the details of what happened and when. I can’t really agree with the one or two attempts at a rather forced sense of outrage, much bigger companies have been caught out far more seriously than has happened here (as has been said already):-

https://www.techradar.com/news/the-10-biggest-data-breaches-of-all-time

no, to be honest, I’m pretty reassured by the details and there are some very helpful suggestions in this thread. 

How did they upload a file? surely access to FTP on your server requires a username and password?

My bank won't even allow me to use anything other than letters and digits!

My Bank uses such a system, but also has two more levels of Security before you get to that stage.
I assume that would make it extremely difficult for someone to hack into your account?
 

The more characters you have in your password the harder it is to crack, but as soon as you start using words you become vulnerable to a dictionary-based attack, and each word effectively becomes a character as the hacking system looks for combinations of words first. The problem is that systems are enforcing long passwords and the solution most users are using to remember them is passphrases which then become vulnerable to dictionary attacks.

The best password in my opinon is a passphrase without any words. You need a long phrase such as a film quote or song lyric e.g. "You give love a bad name". Take the first and last letter of each word - yugeleabdne, add some capitalisation (only vowels to make it easy to remember), punctuation and a digit or two to satisfy the site's rules and voila! !1yUgElEAbdnE1! - a 15 character password which is memorable to you, yet contains nothing that would make it vulnerable to a dictionary attack. You could easily pad it out with extra digits e.g. !111yUgElEAbdnE111! to massively increase its complexity without increasing its guessability. Use an obscure lyric to further improve your chances.

I have updated my password, and logged out and in again, and I still get a big banner on every page telling me to do it again. Can I make it stop? I'm good now.

The thing to remember is that when a dictionary attack is run, it will check for individual words and common phrases. The fact that each word becomes a character is irrelevant as the combinations for any sentence that is completely made up and not common/predictable are beyond astronomical. Grammar reduces entropy, but even then a 30-40 character password that consists of 10 words is not going to be cracked, period. There is no way for a dictionary attack, or any other brute force attack for that matter, to know it's "along the right lines", it's just not crackable.

In short: including words in your password does not make it less secure. Having a longer password that is only words is not going to be vulnerable to a dictionary attack that will finish before the end of the universe, the search space is too large, much much bigger than a character search for a password of half the length that has no words in it.

Edit 2: Obviously using a common phrase that loads of other people have used in their password (whether you know it or not) is *exactly* the sort of thing a dictionary attack is made for and if you wanted to use such a phrase a technique like what you've outlined would work. However, you could make up some surreal nonsense instead.

Edit 3: Thisisthebesrukcpasswordbecauseitispurpleandstinksofpoo
you would not forget that and I can guarantee it is not gonna be checked by a dictionary attack. Well, not before now perhaps... 😆

Interesting idea but haven't you just provided a 'crib' by publishing your idea on a public forum?

Google flags any duplicate passwords. Nothing to do with the UKC hack. Login to Google Passwords and you'll see the Password Checker, which lists all the weak and duplicate passwords. Worth taking the time to clear this list. 

OK so the breach happened on 28th July, when did you become aware of it?

Google also issues a warning if you've used a site that's had a data breach

https://www.wired.co.uk/article/google-password-checkup#:~:text=Google%20wi....

This -> "There was a vulnerability in an upload plugin on the server that allowed malicious code to be uploaded and executed. "

What happens to data after a breach:

https://www.secplicity.org/2017/05/18/stolen-hackers-data/

First bullet point in the article...

'We learned about the breach on 15 October 2020'

Have you read the article?

For those of you boring enough to enjoy the maths of passwords. 

Let's start basic.  Imagine you could only use binary (1's or 0's) for your password. 

• A 1 character binary alphabet (1 or 0) password could either be '1' or '0' i.e. there are 2x options.  Hint this is 2 to the power 1.
• A 2 character binary alphabet (1 or 0) password could either be '00', '01', '10' or '11' i.e. there are 4x options.  Hint this is 2 to the power 2.
• A 3 character binary alphabet (1 or 0) password could either be 000, 001, 010, 011, 100, 101, 110, 111 i.e. there are 8x options.  Hint this is 2 to 3.

The pattern here is that it is "The size of the alphabet" to the power "the length of the password".

It follows therefore that there are 2x levers you can pull to increase the number of possible password combinations - A) the size of the alphabet or B) the length of the password.

Let's try something more complex.  Imagine your alphabet was increased to include A) all numbers =  0-9 = 10, B) all lower case characters = a-z = 26, C) all upper case characters = A-Z = 26 and D) special characters from the top numbered row of a UK keyboard = !-) = 10.  Total size of the alphabet = 10 + 26 + 26 + 10 = 72

• A 1 character password made up from alphabet of 72 characters would have 72 possible values.  72 to the power 1.
• A 2 character password made up from an alphabet of 72 characters would have 5184 possible values.  72 to the power 2.
• A 5 character password made up from an alphabet of 72 characters would have 1934917632 possible values.  72 to the power 5.
• A 10 character password made up from an alphabet of 72 characters would have 3743906242624487424 possible values.  72 to the power 10.

Let's get even more complex and introduce the idea of a "salt" and a hashing algorithm. 

Salt:  Put simply a salt is a distinct (MUST BE DISTINCT) string tagged onto your password before its hashed and stored.  A salt has 2x purposes:

1. To handle the situation where 2x users choose the same password.  
2. To, largely, eliminate the idea that your password can be brute forced using a rainbow table.

Hash Algorithm:  A one way (This is THE key bit) mathematical formula that converts your password into a random string that cannot be reversed i.e. if you have the password you can compute the hash, but if you have the hash you cannot compute the password.  It is a 1 way transformation .. it isn't bidirectional.

Complex example.

• Bob.  Bob chooses a password = Password123!"£ ... great looks pretty strong.
• Alice.  Alice also chooses the password = Password123!"£ ... oh dear Bob has already chosen that password - we don't want that.
• UKC generates a salt for both Bob and Alice.  (FYI .. a salt isn't secret .. it just needs to be random and not used by any other user of the site.  Obviously ... don't want to hand it out ... but mathematically - it doesn't need to be kept secret)
• Bob's salt = asdf1234%
• Alice's salt = jkl;5678(
• UKC concatenates Bob's and Alice's passwords to their salts.
• Bob's new password = Password123!"£asdf1234%
• Alice's new password = Password123!"£jkl;5678(
• Wooohoo ... both users now have different passwords (whether they like it or not).
• Next .. UKC hashes their password.
• Let's assume UKC using something standard like SHA256 [1]
• Bob's new password as a hash = DDF6E9ACF30FC9567B6475B64921C1446EAC9667267B1AD72B2C8DDA144E27E4
• Alices new password as a hash = C83AC76B29F968DA7B829B93D13550196C1149D95C687F21339E97931DAC3A2D
• Wooop ... even though both Alice and Bob both started with the same password ... we've ended with 2x totally different hash's!! 
• Next step.  UKC stores these hash's in their Database - this is important!!!!!  Most websites don't store your password, most websites store the hash of your password.  Remember ... its a one way calculation (in theory).  If you have the hash - you cannot reverse the formula to get back to the password.  By that definition .. most websites have no idea what your password is. (As it should be!)
• Next time Alice logs in she inputs here user name and password = Password123!"£, UKC retrieves her salt = jkl;5678( and concatenates it to her password, then hashes the string using SHA256. 
• UKC gets the same hash as before ... which means .... Alice must be who she says she is - and gets let in to update her enormous tick list!
• If however the resultant hash computed for Alice didn't match the hash UKC has on record for her .. then either she has forgotten her password or is an baddie.  Result = give Alice 10x more tries and if she doesn't get it - lock the account and direct her to the password reset page.

The addition of both a salt and an industry standard proven and approved hash algorithm to website password security makes guessing a password exceptionally challenging for all but the largest state actors with the most powerful of machines.  

With all due respect to anyone worrying about an attacker stealing the UKC password ... A) UKC ought not to know your password (per above) and B) any attacker who has managed to steal the password hashes ... now has the very boring, time consuming and expensive job of trying to crack them.  And for what??? To find our your private tick list????

To reiterate what others have said:

1. Never ever ever ever ever use the same password on more than 1x website.  Ever.  Period.
2. Use a strong and long password every time.  Numbers, lower case letters, upper case letters and special characters.  The longer the better.
3. If you want to get a bit wild ... try segregating your life into different email accounts.  Try 1x for UKC and a different 1x for banking.
4. Some websites (banking in particular) allow you to use a different dedicated email address for password resets only .  If offered - use it.  But NEVER EVER EVER use this email address for anything other than password resets. 
5. If you use your email as a login anywhere, periodically burning email addresses isn't a bad idea.  Try something like "emailaddress1@gmail.com", then "emailaddress2@gmail.com" etc ...

The trick is not to think about "if" a website gets hacked but "when".  Everyone gets it eventually.  Even the great of UKC. 

End.  Enjoy!

[1] https://passwordsgenerator.net/sha256-hash-generator/ 

Thanks Stu, that was kind of awesome.

Woah, what a post. Excellent explantation!

This is one I don't understand. It is clear to me why ALLOWING  additional characters would expand the search space for a potential attacker, but not why limiting youself to, say numbers or letters only makes the password more readily guessable*.

Especially with shortish passwords, knowing that at least one character must be uppercase, one a number and one a different alphanumeric character actually seems to shrink the search space.

Genuinely interested,

CB

*unless experience tells you that people using only letters are typically also lazy and use phrases that are guessable using dictionary approaches, which should be easily countered by making the password five digits longer

It does, and particularly because people tend to think along the lines of 'Oh, my usual password bob123 doesn't work and it says I need a capital letter, so I'll use Bob123'. That is, people tend to put the special characters, upper case letters and whatever else is specified by the rules in predictable places which then reduces the amount of searching you have to do.

On the other hand, as a system admin you have to balance this against the harm of people using crap passwords if you don't specify some rules.

The current trend is (rightly imo) against using rules as experience has shown that people will tend to do the minimum possible to satisfy the rules.

(Apoogies in advance if this has been covered up the thread but I had a quick look and can't see it)
Also, and this is very much an *also* in addition to what Stu says, do the 'plus trick' if you use gmail.
StuPoo+ukc@gmail.com, StuPoo+facebook@gmail.com and StuPoo+mybank@gmail.com will all end up in the inbox of StuPoo@gmail.com
It's not really any more security, and it'll do nothing if an actual person is doing things manually (if that's the case they're out to get you and you're probably knackered), but it's an extra life in the game against simple credential reuse across sites. Has the added benefit that you can see whodunit when someone sells your details to spammers.
More info: https://danq.me/2017/09/26/gmail-plus/

The trick here is to think like an attacker.  Software engineers are inherently lazy (I am allowed to say that as one) ... we always look to do things with the least amount of effort humanly possible.

Imagine you had a website that had a password and there were no rules on password complexity other than max length = 32.  Like above, assume the alphabet = 72 (for simplicity), then the search space = 72 to the power 32 = 2.7204445973673520186989292010512e+59.  Insanely massive.

Now imagine you knew a little bit more information about the people who used that website [1].  The website password complexity rules haven't changed, but through whatever means you've learned some information about common password practices.  Let's say you've learned:

1. The the average password length = 9.6 characters [1]
2. Average number of upper case = 1.1 characters [1]
3. Average number of lower case = 6.1 characters [1]
4. Average number of numerics = 2.2 [1]
5. Average number of special = 0.2 [1]

Now ... you no longer have to search the entire universe.  You start by changing your random password code to only generate passwords of length 9 or 10 chopping right there billions off the universe.  Next you only generate random passwords with 1 or 2 upper case in them.  Then only with 6 or 7 lower case and with only 2 or 3 numeric.  Finally .. you might want to drop the specials altogether because, clearly, no one is using them.  The effect of this is that if you know that people aren't using complex passwords .. then you don't need to search even a fraction as long or as hard to crack it.  This is exactly what they do.  Not only that .. they know what all the common passwords are .. so they start by running them first. [2]

Like many things in life ... the old saying "how fast do you need to run to get away from a Lion" comes to mind.  Ans = faster than your friend.  This is true in online security too.  No one wants to waste time trying to crack the password for the guy who has used the full 32 length, totally random (no dictionary words), special characters, upper and lower case and numerics.  They focus on the sheep ... the guys who use 'password', 'Password', 'Password12345', 'qwerty' etc.  And once they've cracked enough of them .. they move on before they get caught.

Cheers

[1] https://resources.infosecinstitute.com/beyond-password-length-complexity/

[2] https://www.safetydetectives.com/blog/the-most-hacked-passwords-in-the-worl...

The quickest way to crack passwords is to use a list of previously cracked passwords. There are readily available lists, such as this one with 10 million entries. That will get you, say, 50% of the accounts.

https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Cre...

Lots of passwords on the list would have sp3c1al spelling, but lets assume they dont.

You can run your list through software that has rules to modify the words. John the ripper has rules for:

u convert to uppercase, c capitalize, C lowercase the first character, and uppercase the rest, d duplicate: "Fred" -> "FredFred", f reflect: "Fred" -> "FredderF", { rotate the word left: "jsmith" -> "smithj"

You can either do this at run time. Or create additional dictionaries, which you can use again and again. You can then filter these dictionaries, to match the requirements you mention. E.g One number one upper case.

/X reject the word unless it contains character X, /?C reject the word unless it contains a character in class C

So if you know that it has to contain a lowercase and a number, you can run a filter that converts the e's to 3's, all the l's to 1's, the o's to 0's etc.

To answer your question, it does extend the time taken.

Instead of cracking a password of 'hello', you'd need to try: h3llo, he1lo, he11o, hell0, h3l1o, h311o, h3110 etc. Then similar versions with caps or combination of caps, lower case and numbers. You could crack it, but it might take 20 passes using all the different variations.

Makes sense if you restrict yourself to starting from lists of passwords, accepting that you will never catch users with unique, random passwords.

However, for true brute force guessing, knowing that at least one digit of my password has to be a number cuts the total number of guesses I have to run by almost a magnitude (if I am not making some fundamental combinatorics error), since in one position I only need to test ten alternatives rather than 72. Same goes for the top row and grammatical symbols.

CB

Makes sense. I was thinking more about brute force guessing, where every piece of information will shrink the search space. Knowing that my password has at least one number means 10 possibilities rather than 72 or 80 in one position, almost an order of magnitude.

I still maintain that password length is the best protection. As you say, no one will even try to build libraries of 16 or 20 digit passwords, unless some state actor is after a specific user, but even then*:

https://xkcd.com/538/

CB

Actual, actual reality: I assume that most hard and software has backdoors or exploits known to state actors that alow them to catch, say, keyboard use before encryption.

Agreed.

You'd only really need to brute force, if there was an admin password you really wanted to crack. As you've mentioned, you'd make assumptions about the length to reduce the key space.

Password cracking can be distributed. If you were dedicated, you'd first hack someones AWS, Azure or Google cloud password. Then you could spin up thousands of GPU cores and put them to work at someone else's expense.

Snowdon wrote a good essay called 'I hunt sysadmins'. Where they go after the person, not the password.

<beat me to the xkcd cartoon>

It's all moot, as quantum computing will make a lot of this irrelevant in a few years.

Two idiots, one idea.....

CB

lol ... like the cartoon.

Agree with your maths. 

I think most people kinda miss the whole point - odds on you are no where near important enough, on a personal level, for anyone to bother brute forcing your password.

It's a game of numbers.  Basic cost benefit analysis. For the vast majority of the population ... the ROI to brute force your password specifically is super negative ... that's the business of Hollywood and/or state actors against sysadmins, government officials, some researchers, high ranking corporate staff etc.  Hacking is a game of odds.  For the most part, they want to steal 10's or 100's of thousands of deciphered credentials then bulk try them to see what few might allow them to monetize.    

Those few that can be monetized will be those that have used the same passwords on multiple websites.

The best single thing everyone can do is accept that no website is 100% safe, every site gets hacked eventually, plan for that happening and never use the same password on any other website - ever.

Two thumbs up for how UKC have dealt with it.

Night dudes!

In reply to Andy 1902:

Why? Not at all. Think of the big picture and big numbers.

It's not the hacked site anybody is interested in. It's the other, much more valuable sites where you probably reused your simple password which are the target. Many breached sites used quite outdated hashing methods where a simple password would be much easier to decipher later (fortunately, that doesn't seem to be the case here!).

In reply to Andy 1902:

This post explains how password hashing is done: https://www.ukhillwalking.com/forums/ukc/ukcukhrockfax_server_attack_-_informa...

We don't save passwords in the database, we save hashes. The strength of the hashing means it's unlikely that the hashes will be cracked but you can never say never with these things.

Having a long, complicated password means it would take too much computer power to break the hash and get back to the original password.

Surely this would require some sort of user account to do this?*  Was this a known vulnerability that should have been patched, or something created by UKC staff?

*I don't know how upload plugins work

Yes, but that's just an example and the potential options for word masking reduce the crib's effectiveness massively. Essentially, every pair of letters could be any of the 273k words in the dictionary (plus others like names), and there are multiple options for creating the letter pair (1st&last, 1st&2nd).  So, using StuPoos's logic "it is "The size of the alphabet" to the power "the length of the password".

Alphabet = each letter pair = (273k words in oxford dictionary +273k capitalised first letter words + 273k capitalised last letter + 273k capitalised both letters + ?? special character options for letters in words) *pair creation options )

length of password = (no of words in the lyric + individual padding characters)

= some uncomprehensibly big number.

That format has been around for years. The version I heard was to make up a memorable phrase to you, rather than a lyric, e.g. "My son's name is Eric and he likes dinosaurs and monsters" which gives you "msnieahldam" or "MsniE&hld&m".

Only issue is the temptation to use it for multiple sites with only a slight change:

"MsniE&hld&mUKC"

"MsniE&hld&mAmz"

"MsniE&hld&mPPal"

When one is compromised the rest become relatively insecure.

another easy win is:
[number plate]is_a[colour][make][model]

 

Issue is it's OK for a single password, but not multiple sites (bit of an issue if it was your UKC AND banking password.

The one hard drive I have encrypted has a pass phrase of >> 30 letters along the lines of "thisisnoneofyourbusinesssof*ckoff" (with a few scattered $%$&) in the local Bavarian dialect, phonetically transcribed.

Seems like a convenient compromise between being able to memorize the password despite its length and being safe(ish) from a dictionary attack.

My main problem is not being able to memorize passwords, and the password managers I have tried (which would again be protected by a single strong password) are rather incovenient when trying to access the same web sites from different devices.

For anything financial I use 2FA.

CB

Already been covered a bunch of times upthread. Point is you probably have memorised more than one number plate, and a number plate is an easily memorable way to bring in capitals and numbers.
Failing that, [number plate]is_a[colour][make][model]_UKC. Done.

So just logon to the DoT database like the odious clampers to work out you exact details!

In reply to Andy 1902:

There's a massive banner at the top of every page for people that haven't updated their password. How are you missing this, it's huge?

This isn't a compromise. A password of >>30 characters that is not a common phrase is not going to be cracked, period.

A dictionary attack is not going to help here at all, the search space is ridiculous.

Depends. I agree that brute force guessing would be impossible, even if you knew the exact length of the password.

However, if you want something memorable you do risk inadvertently picking something sufficiently common to become guessable (some song lyrics followed by a couple of numbers, some combination of the names of your children....), which could defeat the benefit of password length.

Switching to dialect phonetic transcription is an easy way to avoid that risk, the pass phrase will be just as memorable as the plain text version and, importantly, much more memorable than a random string of similar length. I have never written down the password for my hard drive, so it better be memorable!

You are right, though, that this is more of an issue for shorter passwords. A length of 20 or 30 characters is impractible for an account, say, at my online bicycle parts supplier (if their system even allowed that length). However, I create my "memorable" passwords in a different way for these purposes.

CB

I have no idea whether the two events are connected, and I'm not saying they are, but the suspect e-mails I've just received just happened to turn up around the same time as the notice of the server attack here, so it has focussed my thoughts, as a learning experience, not as a finger pointing exercise.

I found a couple of e-mails today in the spam of one of the handful of e-mail addresses I use.  Usual stuff: "we've caught you watching naughty downloads, and we're going to send a video of what you were doing and the video you were watching to all your friends/contacts if you don't pay us £x via bitcoin".  The difference this time is that it included a password I use on unimportant accounts.  It might have been the password I used for ukhillwalking although I can't remember as I changed the password on my ukhillwalking account last week in response to this thread.

It's been a salutary experience, finding all my online accounts (how did I ever accumulate so many!), checking which e-mail address the account uses, and which password, and changing them as necessary.

That's an evening I won't get back, but a useful lesson and a reminder.  As someone else on this thread said, with hacking, it's a case of "when" not "if", so be prepared.

One thing that has helped me this evening, and something that others might like to consider, is to have a list of the online login/accounts that you have, with the associated e-mail address.  That's a good starting point for checking all your online accounts.  Happily I started this 3 years ago, when EE/Orange/Wanadoo/Freeserve finally stopped their free e-mail service, and I had to migrate many accounts (to gmail).  Also, don't forget all those apps on your phone that have accounts/passwords attached to them.

No, they'll have used a bug in the code to upload an arbitrary filetype to where they wanted.

Its a big problem when you are pulling in external libraries for additional functionality in php(which I think ukc is written in?), nodejs etc.

Of course. Like I mentioned above, I preferred surreal made up sentences seeded by what they are for. Memorable and impossible to guess but that is probably how my brain and sense of humour work.

Yeah, I do similar by inserting Greeklish sometimes, which is especially good when some of the words are actually made up to start with, so good luck finding them in a dictionary of any description.

Yeah, for all stuff like that I now use fully random passwords in a password manager. The super long passwords are reserved for things I cannot use a password manager for (server passwords and the like).

I had similar a couple of years ago, a bit of googling uncovered linkedin had been hacked, but unlike UKC no notification. I think UKC have been very good in how this has been handled, and I've had a thorough check of all my passwords for repetition since this happened.

still much better than "maga2020!"

https://www.volkskrant.nl/nieuws-achtergrond/dutch-ethical-hacker-logs-into...

I just found about it from an email. A bit later than you, but at least it’s there 

The harvested email addresses are being used to phish Vodafone customers. I got this:
"You have been selected [redacted part of email address before the @] - We have a surprise for Vodafone Customers!"
Delivery-date: Thu, 22 Oct 2020 19:34:25 +0100
Received: from skiro.uksouth.cloudapp.azure.com ([20.58.9.72]:39478 helo=aler.Caf.fr)
 

Delivered to an email address I only used for UK Climbing.

Hi Jiffy,

I'm afraid the email you use on UKC was released in a breach in Feb 2018 by another website. Please check https://haveibeenpwned.com/

The way they saved the passwords hashes was a combination of BCrypt and SHA-1 for older accounts. If you were also one of the users unlucky enough to have your password hash released in the insecure SHA-1 format then it has more than likely been cracked too.

Worth checking if your name and address details are stored on UKC, possibly if you've entered a competition or completed a survey. These details are retained for targeted advertising and are  vulnerable to a data breach.

"The address details here are never and will never be made public. We use this data to prefill the fields when entering competitions, surveys and eventually will be used for showing ads related to climbing walls and shops in your area."

Should you be disclosing the name of the other site that was hacked? Email addresses are hidden on UKC to protect privacy.

It's publically available information, why shouldn't they reveal it (particularly as the email address in question was compromised 2 years before the UKC data breach).

This just in. Seems relevant:

Finally: a usable and secure password policy backed by science:

https://techxplore.com/news/2020-10-usable-password-policy-science.html