Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[JimH]

Because two of our outside servers were just compromised, we are urging you to change your password for the forum.  It's very possible that your password was already available before our break-in.

About a year ago, news stories reported the availability of a database of stolen passwords.  Here's one of the stories:

https://www.cnet.com/how-to/find-out-if-your-passwords-been-hacked/

That site links to this one, where the password database is available for you to check yours:

https://haveibeenpwned.com/

These passwords were stolen when some very large sites (Twitter) were compromised.

[Alex M]

I checked a couple dozen email addresses from different domains. Not a single compromised one. I was just lucky?)

[JimH]

They provide some of the names that were compromised.  They include Linkedin, Adobe, etc.  If you didn't have accounts there, you may not have been affected.

[Spike1000]

All passwords were encrypted, right?

Sorry to hear you've been hacked. We all need to raise the bar when it comes to cyber security. It must be top of your list when it comes to anything that involves the internet. I suspect it will be now as breaches are always very costly.

There's much more to it than just 'encrypted'. It has to be salted and hashed. A very high percentage of hashed passwords can be *discovered very easily. If poor salting practice is used (eg salt re-use) passwords can still be discovered. (the system has been hacked so if the same salt has been used it is safe to assume the hackers know it). The best defence is to use LONG and RANDOM salts with robust and modern hashing algorithms. Hopefully JR will confirm that is the case.

Please force a global password re-set now.

In the mean time people should change their own passwords.

It might be worth visiting Troy Hunt's website https://haveibeenpwned.com/

If you're suspicious of the URL (it doesn't have the best name) just google around and read into it and then click on a link you trust. Here's the wiki page for example https://en.wikipedia.org/wiki/Have_I_Been_Pwned%3F

"Have I Been Pwned? (HIBP) is a website that allows internet users to check if their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for internet users wishing to protect their own security and privacy.[2][3] Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013. "


Note: I say discovered not decrypted, think dictionary, rainbow table or algorithm (and dictionary) attack.

Spike

[Hilton]

Also just like to mention - I'm Global Head of IT for a company and have just instigated a new password policy this week based on NIST new recommendations and everyone here should consider it not just for Interact, but everywhere you use a password.

Here's some things to consider.

1.
Use a 4 to 5 word passphrase (or more words if the site supports more and you feel inclined)
This means using any 4 or 5 words in a combination that makes sense to you and only you..  You could pick 5 things out of your office, lounge room, kitchen, work and mix with other random words that would only make sense to you.

Word association is far easier to remember and faster to type than a random 8 alphanumeric password with uppercase and special characters.  Longer easier to remember passphrase passwords are also harder for hackers to hack or guess. Though you still should sprinkle some special characters through the passphrase to help prevent a dictionary attack.

example ( and no I don't use this password)
Brown!GlassFried#M3up 

2.
Don't use the same password for multiple systems.

3.
Only change your password if you suspect it's compromised or once a year

4.
Dont use variations of the same password


5.
password managers are ok - but they can be compromised too, make sure you research before you choose one - (highly recommended you get one and ditch the browser auto-complete)

[RD James]

Everyone should be using a password manager these days, so that they do not re-use passwords anywhere.
I recommend 1Password if you have iOS devices, and it has a great family subscription too - so I can help manage passwords for other people via shared vaults.
One of the useful features that 1Password has is that it automatically checks all logins against a database of compromised websites and passwords, tells you when sites you are using support two factor authentication but do not have it enabled, and warns of things like duplicate passwords.

[mwillems]

Everyone should be using a password manager these days, so that they do not re-use passwords anywhere.
I recommend 1Password if you have iOS devices, and it has a great family subscription too - so I can help manage passwords for other people via shared vaults.
One of the useful features that 1Password has is that it automatically checks all logins against a database of compromised websites and passwords, tells you when sites you are using support two factor authentication but do not have it enabled, and warns of things like duplicate passwords.

I can also personally recommend Keepass.  It's a free, cross-platform, self-hosted password manager that's open-source.  It's slightly less convenient than the commercial services, but has a good app ecosystem and good browser add-ons, and you don't have to trust anyone else with your password database. The only part you need to manage on your end is the file sync part, which can be automated with a little elbow grease. 

If you're looking for an all-in-one turnkey solution 1Password is one of the better ones though.

[greynolds]

LastPass is another excellent password manager, with features that seem to be very similar to what 1Password offers.  I've been using LastPass for a few years now and have been very happy with it.

Once you start using a password manager, it can be eye opening to see how many places you may have been using the same password simply because it's too difficult to remember a million different passwords.  The managers have tools to let you know where you have duplicates and to generate new unique passwords using a variety of options, such as making the password "readable" (using words rather than random sequences of letters, numbers, and symbols), or choosing specific lengths and sets of characters to comply with the various rules that different sites use.

I checked my primary email address against the pwned site and found that it came up for a few things (Adobe, MySpace, Trillian, and TheTVDB).  I hadn't even used MySpace or Trillian for many years, but reset my passwords just in case.  I had known about Adobe and changed that password previously (IIRC, Adobe forced password resets).  I also reset my TheTVDB password.

[Awesome Donkey]

In addition, I'd also recommend if the website/service supports two-factor authentication, enable it and use it.

Otherwise I used to use LastPass until LogMeIn bought them. I then switched to bitwarden, which is an up and coming open-source password manager that I'd also recommend. Like the others it also checks a database against compromised logins for websites. In addition, you can also self-host bitwarden (and avoid using their servers for the encrypted database) using Docker, which actually works pretty well.

[JohnT]

There's much more to it than just 'encrypted'. It has to be salted and hashed. A very high percentage of hashed passwords can be *discovered very easily. If poor salting practice is used (eg salt re-use) passwords can still be discovered. (the system has been hacked so if the same salt has been used it is safe to assume the hackers know it). The best defence is to use LONG and RANDOM salts with robust and modern hashing algorithms. Hopefully JR will confirm that is the case.

Yes, we do use long random individual salt values for passwords.

[Spike1000]

Yes, we do use long random individual salt values for passwords.

Excellent!!! If only every developer was as diligent!

Spike

[RoderickGI]

Well, at least this forced me to use LastPass better and change a bunch of passwords. Thanks JRiver! 

Otherwise I used to use LastPass until LogMeIn bought them.

What was the concern with LogMeIn buying LastPass, which prompted your change?

[danhardison]

Just to be clear, does this explain why I'm getting an error saying my trial version has expired (when I have a valid license), and when I try to restore my license it is failing?

I can't use MC24. Don't tell me I have to resort to other means of playing music!!  ;-)

[JimH]

We hope to have a solution very soon, but for now, there is none.

[Awesome Donkey]

What was the concern with LogMeIn buying LastPass, which prompted your change?

I don't trust LogMeIn. LogMeIn has a bad reputation, especially saying something is going to be free 'forever' only to change their mind and discontinue it a couple years later. It'll only be a matter of time before they do the same with LastPass, IMO.

[greynolds]

I don't trust LogMeIn. LogMeIn has a bad reputation, especially saying something is going to be free 'forever' only to change their mind and discontinue it a couple years later. It'll only be a matter of time before they do the same with LastPass, IMO.

I've run into the free for a while, then not free situation with a number of companies over the years.  With LastPass, I initially tried it out with the free version and then upgraded to the Premium version, so my only concern would be if the price went up substantially.  I've got no problem paying a reasonable amount of money for something like LastPass.  Just like JRiver, their employees need to live somewhere, buy food, and so on.  So at roughly $25 per year, it's not a big deal; that's less than the cost of a large cup of coffee once a month.  As long as their competitor's pricing stays about the same, I doubt their prices will rise substantially.  I haven't tried the other password managers, but I've been very happy with LastPass.

[Hendrik]

Personally I don't trust those "cloud" password managers. They often claim that its encrypted and they couldn't even read it if they wanted to without a key only I know, but you know how such things go.
Thats why I use KeePass with a local encrypted database that I sync over to my phone as well.

[RoderickGI]

Thanks for the clarification AD. I don't know much about LogMeIn. It isn't a bad model to have a money making business own a free product, because the money making product pays the bills while the free product advertises the company. But the trust issue is important.

I also used to have only a local database of passwords Hendrik, using "Web Confidential" on a Palm Pilot III !  However as the Palm's usefulness dropped I backed up the database less often, and eventually only used it for password management. Then the inevitable happened as the thing only ran on AAA batteries; the batteries died. My backup was way out of date. While I recovered most important stuff, I had some software licence keys that were only listed in the Palm. Gone. Bugger.

So while I am a bit uncomfortable with the risk of having passwords in the cloud, because the consequences of a breach would be very bad, especially if not reported immediately, I enjoy the 100% automatic backup, synchronisation and availability of my passwords across multiple platforms. The only thing that assuages my discomfort is knowing that if LastPass had a breach I wouldn't be alone so the risk of my data being used before I could change it is low, legal action would be likely in America, and they would be instantly out of business. So they have the motivation to protect my data.

I would like to say this is a risk I am willing to take, but I'm not really. I'm just hopeful.

[mwillems]

Personally I don't trust those "cloud" password managers. They often claim that its encrypted and they couldn't even read it if they wanted to without a key only I know, but you know how such things go.
Thats why I use KeePass with a local encrypted database that I sync over to my phone as well.

Exactly my setup.  There are even some benefits; at this point the open source browser plugins for keepass work better than the lastpass browser plugin does.

So while I am a bit uncomfortable with the risk of having passwords in the cloud, because the consequences of a breach would be very bad, especially if not reported immediately, I enjoy the 100% automatic backup, synchronisation and availability of my passwords across multiple platforms. The only thing that assuages my discomfort is knowing that if LastPass had a breach I wouldn't be alone so the risk of my data being used before I could change it is low, legal action would be likely in America, and they would be instantly out of business. So they have the motivation to protect my data.

If you ever decide to make the switch to something like keepass there are android apps that will automate the syncing process for you (if you have a NAS the FOSS keepass2android app itself can do direct syncing with certain protocols, otherwise something like foldersync could bridge the gap with a normal PC using smb shares).  Takes a few minutes to setup, but after that its fire and forget.  K2A even supports dropbox or google drive, but if you go that route you should keep a local-only keyfile.

[Scobie]

i was considering Dashlane, has anyone had any experience with that or just another cloud password service...?

[greynolds]

If you ever decide to make the switch to something like keepass there are android apps that will automate the syncing process for you (if you have a NAS the FOSS keepass2android app itself can do direct syncing with certain protocols, otherwise something like foldersync could bridge the gap with a normal PC using smb shares).  Takes a few minutes to setup, but after that its fire and forget.  K2A even supports dropbox or google drive, but if you go that route you should keep a local-only keyfile.

This is presumably obvious, but if one is going to use something like Dropbox or Google Drive, you're kind of defeating the point of not using the cloud.  I'm comfortable enough with how Lastpass handles the encryption to put up with the potential minor risk for the extra convenience of the syncing and such just working.  At some point, each of us has to decide that the risk is low enough that we're comfortable with what we pick.

[mwillems]

This is presumably obvious, but if one is going to use something like Dropbox or Google Drive, you're kind of defeating the point of not using the cloud.  I'm comfortable enough with how Lastpass handles the encryption to put up with the potential minor risk for the extra convenience of the syncing and such just working.  At some point, each of us has to decide that the risk is low enough that we're comfortable with what we pick.

I partly agree, which was why I didn't recommend that route first, but it's very misleading to say it's defeating the point because the two scenarios are not equivalently secure.

If you use a keyfile with keepass and sync your password database with dropbox (I specifically mentioned using a keyfile in that case), it actually has significant security advantages over using a cloud-based password manager.  Setting aside the issue of trusting someone else to actually keep your data safely encrypted (let's assume you can trust Lastpass to not deliberately do anything wrong), you can access your lastpass database through their website (or at least one could when I used the service).  That means all someone needs is your password to access the database.  So even if Lastpass is doing everything right in their client and plugins (which we're assuming, but in real life is still an "if"), someone who breaches their servers (which has happened once, although it's not clear if they got password databases) just needs to figure out the password. 

If you use a separate keyfile with Keepass that you keep locally, and then put your database on Dropbox, someone who breaches your Dropbox cannot usefully breach the database because they lack both the decryption key *and* your password.  Even if they knew your password, it would do them no good without the keyfile.  The keyfile needs to only be made and sent to your devices once, only the database needs to be synced regularly, so you can keep the keyfile local-only and get some of that cloud convenience with very little loss of security.  Keepass also does all the encryption locally, so Dropbox doesn't even have the chance to see your unencrypted data.

That said I still do all my file syncing myself, because, as you suggest, any external cloud involvement is more than I'd like.  I don't recommend Dropbox or Google drive for hosting your own password database, but they can be used in a way that has security advantages over a pure cloud solution.

[RD James]

For what it's worth, 1Password gives you a private URL, and requires both a password and private key to access your data via the web (the latter of which is not stored anywhere).
Of course you have to trust what they're telling you, but 1Password have been very open about how they do things, and are always taking proactive steps to improve their security.
I still don't trust it with something like bank account details, but when I do so much via my phone and other devices now, and have finally managed to get my other family members to use it (which will be even easier in iOS 12) I couldn't be without a cloud-based solution. Syncing via other services like Dropbox proved to be nothing but a hassle in my experience.

[mattkhan]

@mwillems perhaps I missed it but how do you actually do your syncing?

[mwillems]

@mwillems perhaps I missed it but how do you actually do your syncing?

The best android client for keepass (Keepass2Android) allows a few remote sync options directly from the app.  I host a private nextcloud instance (for a lot of different applications), and currently I have Keepass2Android setup to just pull/push the database directly over https via webdav.  I deliberately never sync the keyfile.  K2A can also pull from a remote server directly via sftp, which I also did for a while.  Since I started using the built-in tools in K2A it's been entirely frictionless; it refreshes the database whenever I open it, and if I change it on my phone it gets synced back immediately.  All my computers are already using my nextcloud instance for file sync so they take care of themselves.  The setup was a pain for me, but now that it is setup, my non-technical family members can use keepass as though it were lastpass and its frictionless for them.

Prior to getting my self-hosted setup going, the way I used to do it was putting the password db on a samba/CIFS share on my NAS, and then using the android app FolderSync to keep it in sync.  The only issue with that was that it would only sync when I was on my home wifi, which was fine for me as I don't make lots of changes to the database when away from home anyway, but if you did make lots of changes on multiple devices when away from home, one would need to be alert to the possibility of sync conflicts in that context.

[mattkhan]

I host a private nextcloud instance (for a lot of different applications)

thanks for the detail. If you're considering running your own vs using an external cloud, doesn't it ultimately reduce to whose cloud is more secure?

[mwillems]

thanks for the detail. If you're considering running your own vs using an external could, doesn't it ultimately reduce to whose cloud is more secure?

Whose is more secure, and who you trust to look after your interests.  There are certainly risks to self-hosting, no denying it.  One important thing I didn't realize immediately is that when you're running a private cloud the threat model is very different because you're not providing services to the public, so you can take very strong security measures that would be completely impossible/impractical for a public cloud.  For example, you can have an IP whitelist (so only pre-approved addresses can connect), or require user certificate authentication, or require everyone to connect via vpn, etc.  Any of those things reduce your exposure to a similar level of exposure to what you'd have hosting something on your LAN, but those methods couldn't be leveraged by a widely used service because they require knowing all your users in advance and potentially distributing credentials to them.  And those are just examples, there's a significant number of less intense and fairly simple things one can do to reduce your exposure when self-hosting, but it's is not for the faint of heart.

I certainly don't have the security chops that the big players have (not by a mile), but I have a much easier job than they do: I'm serving three or four people that I know personally and can hand out credentials via "sneakernet" (aka hand delivery) if I need to.

So It's certainly not for everybody, and there's some risk to it (which is why I still keep my keyfiles local and encrypt sensitive documents locally before syncing them up).  Though it's worth noting that everyone here who is port forwarding to MC is already hosting an internet accessible server for good or ill.

[Blueshound24]

I have used RoboForm for many years without any issues. I love having a password manager and would not be without one.

[LDF]

I reviewed the entire discussion.... it is diverged into a discussion of different password managers.   What I need to know is where, on the JRiver site, can I actually change my passwords?  I did purchase Media Center Ver 22 back in 2016 via your online store.  My lastpass has the password I used at that time. I purchased MC 23 and MC24 also and have those passwords in LastPass.  I can't find where to modify the passwords for the online store.   I also have a password for your support community ....  and I did find where to modify that one (profile -> account settings -> modify profile).  Would appreciate some help.

[JimH]

Visit the Restore Page to change your password for your license.

[RD James]

Visit the Restore Page to change your password for your license.

I'm only seeing the option to change my email address, not the password on this page: https://rover.jriver.com/cgi-bin/restore.cgi

[joshhuggins]

I'm only seeing the option to change my email address, not the password on this page: https://rover.jriver.com/cgi-bin/restore.cgi

Same here. Any instructions on the steps to use? Sorry you guys have such a mess, best of luck getting it all fixed up.

[mattkhan]

I certainly don't have the security chops that the big players have (not by a mile), but I have a much easier job than they do: I'm serving three or four people that I know personally and can hand out credentials via "sneakernet" (aka hand delivery) if I need to.

fair point. I think downtime (i.e. support/maintenance work) is probably the thing that puts me off doing this myself. I use openvpn to connect back home myself but exposing that to family seems like asking for trouble, particularly if it becomes the host for a genuinely critical service. It's bad enough when the media player is down after all

[LDF]

My copy of JRiver MC24 is working fine, I don't need to restore the license.  That page does not have anywhere to click to change my password for my current license.   Would appreciate more info on how to change my password on my current license. This is the page I checked.... https://rover.jriver.com/cgi-bin/restore.cgi

[nwboater]

i was considering Dashlane, has anyone had any experience with that or just another cloud password service...?

I've used Dashlane for a few years. I'm not aware of any problems with it and do find it very convenient, especially with multiple PC's and devices.

Cheers,
Rod

[joshhuggins]

I had tried Lastpass but it just didn't pick up enough of my apps. I had just heard 1Password recommended just a few days before this breach and decided it was time to give a password app a go and I have been really happy with it. Took a bit to figure out the order of operations a bit in how to use it and configure it for my tastes, but once I figured out the thinking, it's been working great! Just about done switching all of my accounts over to new unique long random passwords. The Windows and Android apps and Firefox extension works great.

Still no word on how we are supposed to proceed in changing our registration passwords? Looks like still working being done looking at other posts, should we just sit tight a little longer?

[Screwdriver]

I use LastPass and set two level authentication when available. I also change my passwords every 90 days.

Also I have a few hosted dedi servers and use private key files for login, no root or admin login etc. I get attempts all the time, but have yet to have a breech. One server is running Wordpress and I have renamed and moved known directories and set strict rules for "accidental" logins, direct path attempts etc.

[joshhuggins]

Still no word on how we are supposed to proceed in changing our registration passwords? Looks like still working being done looking at other posts, should we just sit tight a little longer?

See RoderickGI's helpful response in this post. We should be good to go as is.

[RD James]

See RoderickGI's helpful response in this post. We should be good to go as is.

I don't think "it's probably not a big deal for JRiver support to fix if someone changes the address your key is licensed to" is much of a solution vs letting us change the password.

[JimH]

I don't think "it's probably not a big deal for JRiver support to fix if someone changes the address your key is licensed to" is much of a solution vs letting us change the password.

The passwords were probably not lost.  The encryption method used to protect the password file is believed to be uncrackable.

We do plan to make additional changes.  We'll talk about them when we get there.

[Maxpower]

I've run into the free for a while, then not free situation with a number of companies over the years.  With LastPass, I initially tried it out with the free version and then upgraded to the Premium version, so my only concern would be if the price went up substantially.  I've got no problem paying a reasonable amount of money for something like LastPass.  Just like JRiver, their employees need to live somewhere, buy food, and so on.  So at roughly $25 per year, it's not a big deal; that's less than the cost of a large cup of coffee once a month.  As long as their competitor's pricing stays about the same, I doubt their prices will rise substantially.  I haven't tried the other password managers, but I've been very happy with LastPass.

Yep, couldn't agree more. Highly recommend LastPass.  They also got hacked. However their response was the best I've seen in the industry so I was happy to stick with them. Their blow-by-blow account of the suspected hack is also fascinating reading.

[Awesome Donkey]

Multiple password managers have been compromised in the past, but as far as I know the hackers couldn't decrypt any user's logins since the password managers don't save master passwords server-side and the password databases are encrypted with a master password (among some other stuff). So the hackers could at most only get the encrypted password databases of users, which they really can't do anything with.

Moral of the story? Always have very secure/complex master passwords.

[Shallel]

Thanks for the good information and proactive response to the breach, but your servers are really, really painfully slow now as of Sept 29. Also your site is hitting my processors ridiculously hard.

[~OHM~]

Thanks for the good information and proactive response to the breach, but your servers are really, really painfully slow now as of Sept 29. Also your site is hitting my processors ridiculously hard.

It must be on your end....I'm zipping so fast here I can't keep up!

[JimH]

Thanks for the good information and proactive response to the breach, but your servers are really, really painfully slow now as of Sept 29. Also your site is hitting my processors ridiculously hard.

Which server are you having trouble with?