Technetium wrote:HellnoRO wrote:You still haven't addressed the hashing issue.
I assume you're gonna immediately switch to a different algorithm, like bcrypt and not use the old and insecure md5, right?
That, I think, is one of the things they're trying to figure out how to do, since they don't have the plaintext passwords available to convert.
Yeah, that they were going to find a new method of coding the passwords was something stated in the original post. Like right there at the end...
Achilles wrote:We are making plans to replace phpbb with a more secure forum such as vanilla and moving to a more secure hashing algorithm. Since we didn't store plaintext passwords we can't easily update everyones hashes to a new algorithm but we are investigating our options.
(Bolding is mine to draw attention to important parts.)
Sucks that this happened, but hackers are relentless and will try to crack everything - even more secure stuff.
Should the hashing algorithm have been one so easily cracked? No. That's a fail on BMG's part.
I respect the fact that they've kept the community fairly updated from the moment they noticed what was happening. Some companies don't do that and some don't even tell their users about breaches.
I echo the sentiment that the login screen needs a notice posted to it, and also that every account needs to have their passwords set to be redone at next login.