GOMTV.net compromised - Page 15

On August 13 2011 05:17 R1CH wrote:

Not if you balance the iterations properly. A few hundred ms extra on the login isn't noticeable by most people and is plenty enough to defeat brute force attacks.

On August 13 2011 05:51 DiamondTear wrote:
Changed GOM password, got not confirmation email (hotmail), can't log in.

On August 13 2011 05:39 vyyye wrote:

And I thought Login : Password was the dumbest login/pass combo, holy shit.

On August 13 2011 05:51 slicknav wrote:
this should really be put on the front page of TL somewhere. This is kinda serious if personal information has been compromised.

On August 13 2011 05:53 EndOfTime88 wrote:


I'm having the same problem right now.

On August 13 2011 05:41 R1CH wrote:

Most systems store the algorithm and settings with the password hash and salt. For example, if your password hash is $2a$10$WyJ.NSYEmLixexXspQyoEOVYGK55cDjQd2cZedBN4t9.., the 2a identifies the algorithm (blowfish) and the 10 identifies the iterations (2^10). So if suddenly PCs become 100x faster I can just increase the 10 in our config and all new passwords become more secure, and old passwords are upgraded on successful logon.

I don’t understand the check_password function, why don’t you compare with the
stored hash in the BBDD? Something like this:
function check_password(password, nickname) {
//get user from nickname user = User.objects.get(nickname=nickname)
return user.hash_stored == hash(password)
Btw in your function check_password I suppose that in order to calculate again the
hash I’d have to do it with the cost parameter, something like this:
// this will be used to compare a password against a hash
public static function check_password($hash, $password) {
$new_hash = hash($password);
return ($hash == $new_hash);

On August 13 2011 03:14 R1CH wrote:
There's a post on reddit that suggests that GOMTV has been compromised. I have independently verified that at least some usernames, passwords and email addresses have been compromised.

There appears to be zero security on the passwords as they were stored in plain text (really GOM?). This means if you use your GomTV password anywhere else, you should change it and consider it compromised. To clarify, your GomTV.net username, email address, PayPal real name and your GomTV.net password are likely compromised. Personal information such as your address may be compromised too if it was stored. You should also change your GomTV password to prevent unauthorized account access, although the exploit through which the information was compromised may still exist.

Since payments are processed through PayPal, there is no risk of your financial information being compromised, unless you used your PayPal password when signing up for GomTV (don't do this). Users who logged in via SNS should be safe as Twitter / Facebook authentication is token based, not password based.

If you aren't already, you should really use unique passwords for each website since this happens more often than you think (ever hear someone say they were "hacked"? this is likely how it happens) and not all websites will disclose if they get compromised. Use http://keepass.info/ for password management.

On August 13 2011 03:18 radim wrote:

are you serious? oh my god :x