Originally Posted by
panda317
So, your server was compromised and there is no statement issued by you stating that we should change our passwords?
Very unsecure.
I'm outta here.
The compromise was with the application and they had no access at any time to the database. However, for a second let's say that they did. Your password is saved as an md5 hash with a salt added to it. We don't actually ever save your password. When you type in your password, your specific salt is added to it and it's hashed. The resulting hash is compared to the hash stored in the database. If they match, then it lets you in.
MD5 is a one way hash. This means that you can't take a hash and figure out what the original string was. While there are md5 lookup databases that try to catalog all possible hashes, the fact that we salt the password first makes them completely unusable.
This is why if you forget your password here that you can only get instructions to reset it. We can't ever send you your password because we don't know what it is. If a website will email you your password when you forget it, that means that they store your password directly. That's a bad thing.
We didn't warn anyone that they should change their passwords because
there is absolutely no way that someone stole your passwords.
Originally Posted by
benzguy80
I for one thank you and the others that administer FT. I'll suppress my opinions about the posts (and posters) who threaten leaving.
Thanks!