Log files show the hacker’s movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters).
This is what the current phpBB Project Manager replied:
It is a bit shocking how many commenters went from “I have seen md5 mentioned in prior articles a few times” to “I am an expert on cryptography and clearly Ars, phpBB, et al. don’t know what they’re doing and don’t take security seriously.” As a matter of fact, we take matters of security extremely seriously. PHPass was chosen because it is a very strong option that works on a wide range of setups. It is certainly getting the job done here with flying colors. If that weren’t the case, neither phpBB nor Ars would be using it.
On our newest version, phpBB 3.1, there is support for bcrypt for an even stronger hash. We are more than happy to assist in any way we can to get Ars upgraded in due course.
Project Manager, phpBB
http://arstechnica.com/staff/2014/12/ar ... t-we-know/
- Deploy an NVMe server in 30 seconds. Sign up with my link and get $50 in credit.
- Get a custom professional email (@yourcompany.com), 24/7 support, 30GB of storage, and more. Google Apps For Business
- Follow me on ThemeForest to get the latest updates ThemeSplat
- Follow me on GitHub SiteSplat