Drupal.org User Accounts Compromised

An anonymous reader writes "The Drupal.org team released a bulletin this evening notifying users of a breach in their infrastructure. From the bulletin: 'The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org. This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords... All Drupal.org passwords are both hashed and salted, although some older passwords on some subsites were not salted.' Users are encouraged to update their Drupal.org passwords and the passwords of any accounts that could be linked via the compromised information."

Passwords? More like passsentences.

[Anonymous Coward]

As a recent Ars Technica article has uncovered, it is possible for a dedicated and knowledgeable attacker to reveal as many as 90% of passwords in a database. The sophistication of password cracking has never been higher, and common advice such as "use a mix of numbers, symbols, and uppercase letters" is no longer sufficient to fully ward a salted and hashed password from either compromise or ultimate flavor.

While brute force cracking is rendered useless by any properly implemented password system, hackers have responded by tailoring dictionary attacks using techniques such as the following:

• * Uppercase, in languages such as English, Japanese, or Spanish, typically appears at the beginning of a password, while symbols and numbers usually show up at the end.
• * Combinations of words, such as the famous "horsebatterystaple" or the lesser known "walruspusflange", while suggested to extend the length of a password and reduce its susceptibility to brute forcing techniques, may nevertheless leave it vulnerable to directory combining attacks. Common passwords attached to each other sometimes reveal other passwords.
• * Upwards of 50% of passwords contain the winner of the most recent Super Bowl, World Series, or Eurovision Song Contest, or some combination of letters used to spell such.
• * Custom password dictionaries are available for passwords created by mashing the palm of the hand from left to right on the keyboard, and more are in development for mashing right to left (for RTL languages.)

So, how to keep your password safe in this age of uncertainty? Well, there is no sure way. But consider the following to stay one step ahead of the bad guys:

• * Use a password length of 100 characters or greater, including a mix of uppercase letters, numbers, and symbols.
• * Work out what your usual password is in EBCDIC, and enter it using the Alt key and your keypad.
• * Invent a language with a million characters, get it accepted in Unicode, and develop a gigantic keyboard for it. Or learn written Chinese.

Once compromise happens, you have to assume your passwords will be known by the attackers before you do. Regularly changing your password is part of good Internet hygiene, so you may want to look for software that can automatically do this for you every minute or so. You may also want to consider two factor verification, typically a password and an application on your cellphone that gives you an access code, or three factor verification, which includes with the preceding an application on your friend's cellphone that gives a second access code that he'll send you on request. You cannot be too safe these days.

Re:vulnerability fatigue

[TheRealDevTrash]

Joomla. now there's a secure CMS.