I'll answer some of what was said:
It doesn't really matter what password you use. Brute forcing MD5 passwords is easy. There are only 128^2 possible "values" for a MD5 password. Especially if there is no "automatic account lockout" after X failed attempts.
We're talking about two different things here. First is brute forcing the login of the site and that isn't related to the md5 password hashes (you can't use the hash as the password). You either know what the original string was or you don't.
There is nothing currently in place on -this- forum that limits login attempts but that capability is built into the new forum software (the default setting being 5 attempts). This should be coming very soon.
If the only "protection" you use is MD5 hashing of passwords, you don't have any security. If you are going to limit security of accounts to MD5 hashing, that is the same as no security at all.
It's quite pointless to really do anything unless you change the hashing algorithm to something far more complex like a 256 or 512 hash, and implement failed attempts lockout even if its just temporary but log it.
If you don't, there really isn't any point in doing anything because MD5 hashing has been cracked for a long time. there are numerous even web sites that can reverse-hash a MD5. we use them at least once a week at work.
To clarify for everyone concerned, md5 has not been "cracked". There is no inherent way to
reverse your password to it's original value programmatically speaking. There are however two reasons why md5 is not as 'secure' as it should be.
1. The first reason is that over time databases/sites have been built that contain the "pre-hash" value of passwords as well as the "post-hash" value. So if your password is "password" the md5 for that is "5f4dcc3b5aa765d61d8327deb882cf99", it is easy to look up the md5 hash and see what the original value was. Simple one word/short passwords, common phrases and etc are likely available on the internet.
2. The second reason why md5 is generally considered insecure is that certain "collisions" exist. This means that it's possible for more than one "original value" to potentially create the same md5 as your password does.
While collisions do exist, it is still quite unlikely that someone is going to find a collision value for
your password any time soon. Certainly anyone with the capability or resources to do so has better things to do than hack NMA.
****
For those who want to know more about the attacker, his attack seems to have been completely random and likely the result of a script that reaches out and looks for old exploits in the phpbb2 software using Google or some other engine. This was in no way a co-ordinated or focused effort for the individual responsible. As I said before, we aren't a particular 'juicy' target, but we were the low hanging fruit.
The next iteration of the forum has a much more robust security set. In the meantime, I am trying to patch whatever holes I can find on this sinking ship.
We could go through the dev effort to overhaul how passwords are stored/hashed but the energy would be better spent moving us over to vBulletin as soon as possible.
It is still advisable that you change your password to something secure.
