Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am a staff member of a large fanfic site, but not the head administrator with

ID: 661565 • Letter: I

Question

I am a staff member of a large fanfic site, but not the head administrator with control over the site itself.

Recently, we had a security breach and the databases were copied, which included the users' usernames, emails, and password hashes. We put a notice on the front page telling people that we were hacked and that they should change their passwords anywhere else where they use the same password.

However, during a staff meeting, we had a chance to look at the backend structure. Turns out everything was MD5, with the same salt for every user.

I have been trying to convince the rest of the team that this is a very bad situation. I do not think they understand how easy it is for someone to break most of those passwords in a short amount of time despite everything I have done to explain the basics of salting and why MD5 is too fast to be good password security (I've been recommending bcrypt). If compromised users are using the same passwords on other sites, they are at risk of being compromised there, as well.

But most importantly, I've been imploring them to email the users, because simply posting a quick notice on the front page is not going to reach everyone. Their main counterarguments:

1. We have limited ability to send out that many emails from our server, so reaching everyone is not feasible. (I then recommended Mailchimp, but this was "too expensive" and that I am asking them to do "more than the big companies would do, who have more resources").

2. If someone's password is weak enough to be cracked that quickly, there is no point in emailing them because the attacker would have compromised them already by now.

3. Our main focus is patching up security going forward, not worrying about the past.

I've been trying to counter these arguments because I think they are not responsible or justified excuses, but I appear to be failing. It seems like a huge risk to have an information leak like this when security was this poor, and then not properly inform your users (directly via email) that they need to change their passwords. Putting up a notice on the main page or relying on word of mouth, to me, is not nearly enough and won't necessarily reach inactive users who still have accounts on the site (which are many, if not most).

Am I overreacting? Am I expecting too much from them? Is it unreasonable for me to expect them to email everyone? Am I overestimating the severity of the situation?

What more can I do or say in this situation?

Explanation / Answer

You're not overreacting at all. It's COMPLETELY irresponsible to refuse to do anything more. Even if a user is inactive, they need their account to be secure.

Your boss clearly doesn't understand the severity of this situation. With unsalted MD5, most passwords are already stored in a rainbow table along with the matching hashes. You can, right now, Google an MD5 hash and find the matching password.

If you have password reset functionality through email, why not require users to change their password next time they log in? Then, anyone who tries to use a compromised account will need the user's email account to prove they are the ones changing the password. Since you already have hashes of passwords and you may not be able to get the original, requiring users to change their password is probably the best solution as you can just create new bcrypt hashes.

If the majority of your users are inactive, this is a great solution as you will not have to send out hundreds of thousands of emails in one day. You can send them out over time.

If you don't want to have to worry about this holding you back in the future, notify users after a certain amount of inactivity (maybe, 1 year) that they have to change their password or their account will be deleted. You can spread this out over time. And not do it all on the day exactly one year from now. But instead, spread it out over a month or so.

Related Questions

I am a computer engineering student and trying to get the idea behind all these
Question #650066
I am a computer science master student. In a statistical learning theory course
Question #1375556
I am a computer science student interested in the field of security and just had
Question #662130
I am a developer of an open source project which is hosted in SourceForge. It st
Question #660451
I am a domain scientist and I study biophysical systems. When I asked a colleagu
Question #649384
I am a fairly novice programmer - 6 months into an internship. I have decided to
Question #659939
I am a first semester progamming student having a bit of trouble with this parti
Question #3625672
I am a first year PhD math student, and must decide: should I study Quantum Mech
Question #1377266

Navigate

Previous
I am a sole developer and I have a web application template that I have created
Next
I am a student of information technology and I am doing a project on avoiding MA

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.