Author Topic: Unable to log in - Password reset not working  (Read 14034 times)

Offline login9

  • Newbie
  • *
  • Posts: 6
Unable to log in - Password reset not working
« on: May 29, 2020, 12:38:20 PM »
Hi After several attempts to login and failing I've resorted to creating a temporay account to resolve my and my partners accounts.
I try to login I keep getting the message weve upgraded are security etc. I've tried resetting my password my secret answer is wrong but I know it's not. I've asked for the email reset I don't receive an email. Has my account been hacked? Thanks stuartm. Ps I don't know what will happen to this account if I log out.
« Last Edit: May 29, 2020, 06:41:21 PM by EricJH »

Offline Dharshu

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 925
Re: unable to login
« Reply #1 on: May 29, 2020, 01:08:09 PM »
Hello login9,

There is some issue in the mail receiving and our teams are working in it.It will be fixed soon.
Sorry for the inconvenience.

Kind Regards,
PD

Online EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26534
Re: unable to login
« Reply #2 on: May 29, 2020, 01:40:42 PM »
All forum members received a password reset. However when using the option to receive an email with a link to reset the password that email may not arrive. This has been reported to Comodo and as Dharshu states Comodo is looking into this.

We believe the password reset was issued because of a breach reported here on Twitter: https://twitter.com/underthebreach/status/1265627032228167681 . We haven't heard an official statement from Comodo on this breach.

Offline login9

  • Newbie
  • *
  • Posts: 6
Re: unable to login
« Reply #3 on: May 29, 2020, 02:01:58 PM »
So I will receive an email to reset my password over next few days/ weeks Cheers

Offline Dennis2

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9659
Re: unable to login
« Reply #4 on: May 29, 2020, 02:20:38 PM »
Hi After several attempts to login and failing I've resorted to creating a temporay account to resolve my and my partners accounts.
I try to login I keep getting the message weve upgraded are security etc. I've tried resetting my password my secret answer is wrong but I know it's not. I've asked for the email reset I don't receive an email. Has my account been hacked? Thanks stuartm. Ps I don't know what will happen to this account if I log out.
My secret question also failed, I presume they reset that aswell

On second thoughts it might be better to change that aswell.

Dennis
Moderator: Aims Forum a friendly place. Any concerns? Please PM me and/or review the Forum Policy 2012Updated.
System: Centos 7.9 x64, APF, HTTPS Everywhere, ABP, NoScript
 Fedora 33 x64, APF, HTTPS Everywhere, ABP

Online EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26534
Re: unable to login
« Reply #5 on: May 29, 2020, 02:42:16 PM »
Could you try a few things for us?

Try the "Forgot your password" link from the login page (https://forums.comodo.com/index.php?action=login ) and see if you get sent an email.  Could you ask for the password reset link first using your email address and second time using your username?

Futuretech wondered if there is a difference between asking for a reset from the login page and from the page with the message (see attached image).
« Last Edit: May 29, 2020, 02:45:12 PM by EricJH »

Offline login9

  • Newbie
  • *
  • Posts: 6
Re: unable to login
« Reply #6 on: May 29, 2020, 02:58:42 PM »
Could you try a few things for us?

Try the "Forgot your password" link from the login page (https://forums.comodo.com/index.php?action=login ) and see if you get sent an email.  Could you ask for the password reset link first using your email address and second time using your username?

Futuretech wondered if there is a difference between asking for a reset from the login page and from the page with the message (see attached image).
No luck on either

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: unable to login
« Reply #7 on: May 29, 2020, 03:03:28 PM »
- Database contains 170k usernames, emails, hashed passwords, IPs.

hashed passwords : Does that mean that the passwords were encrypted when they stole the database?

Any possibility for them to recover the real passwords?

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: unable to login
« Reply #8 on: May 29, 2020, 03:28:45 PM »
I too struggled to login again, I was lucky that I could reset my password . . .

It's quite disappointing that Comodo didn't send emails immediately to their users to inform them what happened . . .
It was by coincidence that I read this thread to find out about it . . .
Seriously Comodo, we are talking about security here . . .
Unbelievable . . .



Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1739
Re: Unable to log in - Password reset not working
« Reply #9 on: May 30, 2020, 04:22:31 AM »
Hello,
I changed my password after the administrator reset
I used the forgotten password function
For me, everything went well
Windows 10 Pro x64 Build 19042.964 - Comodo CIS Pro v.12.2.2.8012 - Linux 20.04

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1739
Re: unable to login
« Reply #10 on: May 30, 2020, 05:05:46 AM »
Does that mean that the passwords were encrypted when they stole the database?
Any possibility for them to recover the real passwords?
I use SMF as a forum as administrator
The passwords are on a MySql database on the server.
When a user saves the password, it is encrypted with SHA1 in the database.
Note: In SQL language, the SHA1 () function allows you to encrypt a character string in the form of a 40 character hexadecimal string. ... This SQL function is commonly used for key hashing or as a cryptography function to store a password.
To recover encrypted passwords you need to know the encryption key

Edit: Since encryption is a hash based on non-linear functions, there is no decryption method. This means that to find the password corresponding to a sha-1 hash, there is no other choice than to try all possible passwords!
Technically, this would take several thousand years, even on the most powerful computer on the world.
« Last Edit: May 30, 2020, 05:11:45 AM by ZorKas »
Windows 10 Pro x64 Build 19042.964 - Comodo CIS Pro v.12.2.2.8012 - Linux 20.04

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: unable to login
« Reply #11 on: May 30, 2020, 06:41:52 AM »
I use SMF as a forum as administrator
The passwords are on a MySql database on the server.
When a user saves the password, it is encrypted with SHA1 in the database.
Note: In SQL language, the SHA1 () function allows you to encrypt a character string in the form of a 40 character hexadecimal string. ... This SQL function is commonly used for key hashing or as a cryptography function to store a password.
To recover encrypted passwords you need to know the encryption key

Edit: Since encryption is a hash based on non-linear functions, there is no decryption method. This means that to find the password corresponding to a sha-1 hash, there is no other choice than to try all possible passwords!
Technically, this would take several thousand years, even on the most powerful computer on the world.

Hello Zorkas,

Thanks for your explanation, it removes some sweat drops from my forehead :)

However . . . I don't feel very confident and very secure about the SHA-1 function being used as encryption algorithm.
My feeling is enforced by reading the Wiki article https://en.wikipedia.org/wiki/SHA-1

The SHA-1 function is deprecated by many companies and replaced by much stronger encryption algorithms like SHA-256, why is Comodo still using it?

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1739
Re: unable to login
« Reply #12 on: May 30, 2020, 08:46:04 AM »
The SHA-1 function is deprecated by many companies and replaced by much stronger encryption algorithms like SHA-256, why is Comodo still using it?
Hello CISfan,

SHA1 means Secure Hash Algorithm

How to decode SHA1? (Principle of deciphering)

Since encryption is a hash based on non-linear functions, there is no decryption method. This means that to retrieve the password corresponding to a sha-1 hash, there is no choice but to try all possible passwords!

Reminder:Hashing a file

The sha1 algorithm

Very good data encryption software (password, text) used in several languages including php, sha1 supports a file with up to 2 64-bit exponents. To better encrypt a file, sha1 uses a calculation method that changes regularly. From boolean functions, sha1 uses a bit rotation system, alternating rotations and blocks of 512 bits. The digital signature obtained is a sequence of variables

A "collision" of a hash function is called a "collision" of a hash function, a pair of data distinct from its starting set whose checksums are identical. Collisions are generally considered undesirable but are usually impossible to avoid because of the difference in size between the start and end sets of the function.
This situation is considered rare, if not impossible, depending on the quality level of the hash function. This is why a file (or a password) can be considered to have a unique signature. And therefore that a given signature can only come from a single starting file (or password).

The SMF forum uses the PHP language associated with a MySql database whose access is protected by a password different from PHP.

Edit: It is often said that SHA1 is not safe. There are risks of collisions.
In the real world:
For example, let's take an 8-character password containing only lowercase characters. That makes 26^8 = 208 billion combinations !
« Last Edit: May 30, 2020, 08:55:31 AM by ZorKas »
Windows 10 Pro x64 Build 19042.964 - Comodo CIS Pro v.12.2.2.8012 - Linux 20.04

Offline login9

  • Newbie
  • *
  • Posts: 6
Re: Unable to log in - Password reset not working
« Reply #13 on: May 30, 2020, 09:04:15 AM »
Still no luck today think I'll try again this time next month!

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: unable to login
« Reply #14 on: May 30, 2020, 09:30:05 AM »

...


Thanks for sharing some details regarding the workings of SHA function. Very comforting words, I appreciate it.
I understand the principle behind the SHA-1 function being it a strong protection.

Just being curious... for what reason can't members login at the moment?
Is it another reason than that their passwords were being compromised?


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek