I for one thank you and the others that administer FT. I'll suppress my opinions about the posts (and posters) who threaten leaving.

I'm not clear on it, but the IF subscription fees may very well be going to the HOM in COS instead of to IB.

People vowing not to subscribe may be protesting against the wrong party...

It is a business and if the firm, FT, could be making more economic profit elsewhere, the firm would dissolve and reallocate its resources in a different market. Thus, I am thankful for such a service, but keep it mind, this is not ran out of some poor person's house who has overloaded their electric circuit for us It's a business and they need to respond to customers.

I'd suggest that IB get some junior high coders on their staff. so they can flesh out these problems a bit quicker.

The compromise was with the application and they had no access at any time to the database. However, for a second let's say that they did. Your password is saved as an md5 hash with a salt added to it. We don't actually ever save your password. When you type in your password, your specific salt is added to it and it's hashed. The resulting hash is compared to the hash stored in the database. If they match, then it lets you in.

MD5 is a one way hash. This means that you can't take a hash and figure out what the original string was. While there are md5 lookup databases that try to catalog all possible hashes, the fact that we salt the password first makes them completely unusable.

This is why if you forget your password here that you can only get instructions to reset it. We can't ever send you your password because we don't know what it is. If a website will email you your password when you forget it, that means that they store your password directly. That's a bad thing.

We didn't warn anyone that they should change their passwords because there is absolutely no way that someone stole your passwords.

Thanks!

Let me join with others in saying thanks to our hard working IT gurus.

Bigger sites have been hacked including sensitive government sites. The test of IT is how fast they can get things back together. Where we addicts look for instant gratification, you did well guys.

No. Once I shut down and then powered up again, the popup was gone.

While what you write above about MD5 is true, but it does not address the problem of password security on a compromised site.

1.) MD5 is outdated and deprecated, as successful attacks on MD5 have been demonstrated more than 4 years ago. Look this up in any recent book on computer security - or just go to wikipedia. I quote: "On 18 March 2006, [Vlastimil] Klima published an algorithm that can find a collision within one minute on a single notebook computer, using a method he calls tunneling."

How anybody can still use MD5 in critical applications is beyond me. You should switch to SHA. For SHA-1, only theoretical attacks exist, for SHA-2 no known attacks exist.

2.) Salting offers only minimal protection against weak passwords. Everybody with a short password (less than eight characters) should be aware that a brute force attack will uncover it in a few hours (total time for yours and any other similar weak password in the system). Since it is a brute force attack, even a password like "gHj87Q" offers no protection. Also, dictionary attacks can be quite successful - how many of you have a common English word or name as a password? Those take minutes.

3.) A system that has been compromised as far as having backdoors installed, should never be considered safe until reinstalled or restored from a known good backup. Evidence that "they never accessed the database" may be false, since the backdoor application could as well have scrubbed the log files to hide its tracks - very common, btw.

And yes, I do system security for a living.

Thanks for the reminder.

I thought my passwords were fairly complex but you convinced me to rethink that.

I just added very complex passwords for the log-ins at my financial institutions, hotel and airline mileage/point programs and other websites where someone who cracked the password could drain my account.

I'm sure my passwords could still be hacked but they're going to have to work one hell of a lot longer to do so.

MD5 with SALT is useless, it is NOT a one way hash and can easily be defeated, as it has on other vB powered sites of major size, if you want details, ASK. I am a member of another site that had similar things happen(not an Internet Brands owned site), they tried to cover it up as well. In the end they ate some humble pie, told the real facts, and secured their systems and firewalls again from the start with more security in mind. In addition they use a proxyshield at times when DDOS attacks and brute force attempts happen that aid in loading the site for the legit users.

The hackers responded by posting DB dumps of email addresses, passwords, and other sensitive info on rapidshare and other sites, not once but THREE times over two weeks. (updated to latest passwords and info each time)

They too had MD5 with salt, but it is outdated and not a secure means anymore. You are giving a false sense of security in this reply.

I�ve never used words or phrases, just a series of random letters and numbers for website passwords. This may sound like a pain to manage, but there are a number of utilities that can organize passwords securely. I�ve been using PasswordsPlus for several years now, but there are some free ones out there as well, such as a plugin for Firefox I believe.

Keepass is among the best, and has a random password generator with a degree of difficulty meter too (in bits)

Very safe, as long as the length of the password is sufficient. The bare minimum should be 8 characters, 10 characters is a lot better.

I know I may be nitpicking here. MD5 is a oneway hash algorithm in the way that it is not possible to reconstruct the original message (ie. password) from the hash value.

But, as I pointed out earlier, that is not necessary for a successful attack. Once the password-file (which has salted hash values, not cleartext) is obtained, using brute force will turn up every password of 6 characters or less in a few hours. Dictionary attacks will reveal most passwords that are common names or everyday words.

MD5 specific attacks will compromise many secure passwords by finding a different message that, when salted, will generate the same hash as the unknown password - thus potentially compromising all/most passwords.

That would indicate to me that more is wrong than just the salted password hashes being compromised once. It would indicate a system that is still compromised. If malicious code of some kind "listens" in to new passwords as they are entered, all salting and hashing is futile.

Also, vulnerabilities might exist in the vB software that promote security breaches - but that is just idle speculation, as I don't know the software.

Yes, as I pointed out as well. Too many corporations still lack a capable security administrator. Pointing out security of their system by quoting MD5 shows a lack of understanding, unfortunately.

Sigh. IB. So worthless.