Furry Megathread - Furry Things Here

[Donnies Catch]

figure u guys would find this wolfdog being pet pretty cuuute https://www.youtube.com/watch?v=5OWOQF3dWi0

[Ad Bot]

[Haywold]

figure u guys would find this wolfdog being pet pretty cuuute https://www.youtube.com/watch?v=5OWOQF3dWi0

i was happy until i read the description about the wolfs story.

[ShadowsfeaR]

http://bird.school/post/144786857236/urgent-security-notice

If you know what password you used on FA, I'd suggest changing it on any other website you used it as well.
I hardly loving used FA, and now I can't check which one I used because they reset all the passes.

[Shift Kitty]

It'll warn you if you try to set it to the one that was compromised.

Edit: Just tested all mine. Thankfully it was the one I don't use anymore.

Edit 2: And of course, the site is broken. If you set it to the 'known compromised password' via your user settings page, neither your previous password nor the one you tried to set it to will work.

[ShadowsfeaR]

Personally, I'd just leave it un-set and move on to a new website. The fact they store the passwords in unsalted hashes is so incredibly irresponsible.

[Pastrey Crust]

i was happy until i read the description about the wolfs story.

me too

i cri

[Foxscotch]

Personally, I'd just leave it un-set and move on to a new website. The fact they store the passwords in unsalted hashes is so incredibly irresponsible.

is there a source on the fact that they didn't salt the hashes? I wouldn't necessarily put it past them, but that's a pretty big claim to make without proof :/
also what the heck does "The password hashes, the literal things that decrypt passwords" mean lol

[Donnies Catch]

to be 10000% honest i want FA to be sued and to fade
if people cant move on, just kill FA and make them move on.

[Pecon]

also what the heck does "The password hashes, the literal things that decrypt passwords" mean lol

I too was going to say this is kinda wonky. Hash algorithms are inherently irreversible, the danger is just if your password is short a computer can try millions of hash combinations until it finds the one matching yours. If you have a password 13 characters or longer and isn't just words or something, it'll take too long to figure it out to be in any real danger unless someone wanted to specifically target you and was willing to put months into it.

[Shift Kitty]

Personally, I'd just leave it un-set and move on to a new website. The fact they store the passwords in unsalted hashes is so incredibly irresponsible.

I was only trying to set it because I wanted to know which one I used on it.

I too was going to say this is kinda wonky. Hash algorithms are inherently irreversible, the danger is just if your password is short a computer can try millions of hash combinations until it finds the one matching yours. If you have a password 13 characters or longer and isn't just words or something, it'll take too long to figure it out to be in any real danger unless someone wanted to specifically target you and was willing to put months into it.

They don't really have to specifically target a person. Because they're unsalted, they could just run every password through it and start marking down which ones have matches to which account.
There's a reason hashes are usually salted.

[Pecon]

They don't really have to specifically target a person. Because they're unsalted, they could just run every password through it and start marking down which ones have matches to which account.
There's a reason hashes are usually salted.

If they tried to do all the passwords at once that would be a pretty slow process. Sure, you cut out having to do repeat hashing operations, but you'll still have to do 11,000 string comparisons before you can move on to the next hash. At that rate you'll probably only be hitting 5-6 character passwords within the week.

Also salting hashes doesn't do very much in a situation like this. It can help when only a database is breached, since the attackers may not know what the salt is or how it's used. However, in this case the entirety of FA's source code was stolen, so they most likely would have figured out what the salt was anyways if they used one.

[Shift Kitty]

If they tried to do all the passwords at once that would be a pretty slow process. Sure, you cut out having to do repeat hashing operations, but you'll still have to do 11,000 string comparisons before you can move on to the next hash. At that rate you'll probably only be hitting 5-6 character passwords within the week.

Well, not any 5 character passwords. Min is 6. So you'd start right at 6.

Also salting hashes doesn't do very much in a situation like this. It can help when only a database is breached, since the attackers may not know what the salt is or how it's used. However, in this case the entirety of FA's source code was stolen, so they most likely would have figured out what the salt was anyways if they used one.

Fair enough.

[Donnies Catch]

[Kochieboy]

God, if it weren't for the jpeg, that pic would be priceless

[Ipquarx]

Personally, I'd just leave it un-set and move on to a new website. The fact they store the passwords in unsalted hashes is so incredibly irresponsible.

They stored it salted and hashed. No need for outrage and if your password was secure before it's still secure now.

http://www.furaffinity.net/journal/7578912/