I know you have all read the news today..

Russian Gang Amasses Over a Billion Internet Passwords

http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0

Snippet: Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

Should we be concerned about this?

I'm not.

 I use very complex passwords; I guess what I meant to ask is.

If we use complex passes, our sites are safe?

If "members" use "easy" passwords, I'm thinking that does not matter. Right?

I'm not a database guy...

Right.

Even if someone gets your database which is highly unlikely, they still have to crack the passwords. The actual password you use really does not matter except in cases of brute force types of attacks where the attacker uses automated software to try different passwords over and over again.

If they have the hash as would be the case if the database is obtained then they would run various words though several hashing methods trying to come up with a match to the hash. It does not necessarily have to be your password but anything that would result in the same hash. Such hash collisions for SHA1 has a probability of somewhere in the area of 2^80.

It is highly unlikely for anyone that uses strong passwords as they will not be in most dictionaries hackers use.

It's not something i would worry about.

However. With a dolphin site, you can still log in if you know the hash. I will not reveal how in a public forum.

If you want me to prove it. Just give me a url to a dolphin site with a test account you setup. Provide me with that test accounts member id and the hashed password and i will log in and change the status and the password as proof it can be done.

Thanks for the excellent detailed explain!

I feel better .

No need to show me, I totally believe you.

And before anyone freaks out and says if you can do that then dolphin is not secure. Well that's not really correct. It's not a security problem unless a hacker manages to get your database. And if the hacker was able to do that, then you have a bigger security problem you should be more worried about. So this is a case where it requires you break through one layer before you can get to the other. It's a non issue unless the hacker gets the database. And many sites use this same method.

I don't think they hacked anything at all..  Why Russian Now? if it was not Russian, New York Time would say  "Iran, North Korea or China. I strongly believe this is another politic as always. :( the best thing about it I am glad they are saying Russian otherwise; we will be dropping some  B-Bomb in that country.

Because Russia is one of the countries that doesn't stop or even seem to care what cyber crimes it citizens commit. In the last few months I've gotten emails from most of the big name websites I use saying they might have been compromised and I should change my passwords. It's hard to take any of it seriously anymore.

 RE:

 They probably figure as long as their citizens are busy cyber-criming someone in the US, they'll have less crime on the home front.

Russian Gang!  Gang= Guardian Angels of the neighborhood

It's not a crime to be a  gang in the US. Gang mean the Guardian Angels of the neighborhood. That's the meaning here in the US. It's also mean the same thing in Russian :)

 What's odd is the gangs in other countries are teams of highly organized hackers.. and here in the US they steal hubcaps.

Lol We have classes in the US for what you call hackers. it cost around $900 to $3000 depend on which college you go to take that 3 months course. Here we call it "Network security plus" I took that class back on 2004 then took it again 2008 to see what's new.

Yes I understand, it is a low level hacking class. We are just jealous because some "highly organized smart people" know how to type better than us. Of course; here the gangs they are just stealing hubcaps but if they knew how to type candidly; they would do most worst.