Unable to log in - Password reset not working

Hi After several attempts to login and failing I’ve resorted to creating a temporay account to resolve my and my partners accounts.
I try to login I keep getting the message weve upgraded are security etc. I’ve tried resetting my password my secret answer is wrong but I know it’s not. I’ve asked for the email reset I don’t receive an email. Has my account been hacked? Thanks stuartm. Ps I don’t know what will happen to this account if I log out.

Hello login9,

There is some issue in the mail receiving and our teams are working in it.It will be fixed soon.
Sorry for the inconvenience.

Kind Regards,

All forum members received a password reset. However when using the option to receive an email with a link to reset the password that email may not arrive. This has been reported to Comodo and as Dharshu states Comodo is looking into this.

We believe the password reset was issued because of a breach reported here on Twitter: https://twitter.com/underthebreach/status/1265627032228167681 . We haven’t heard an official statement from Comodo on this breach.

So I will receive an email to reset my password over next few days/ weeks Cheers

My secret question also failed, I presume they reset that aswell

On second thoughts it might be better to change that aswell.


Could you try a few things for us?

Try the “Forgot your password” link from the login page (Comodo Forum ) and see if you get sent an email. Could you ask for the password reset link first using your email address and second time using your username?

Futuretech wondered if there is a difference between asking for a reset from the login page and from the page with the message (see attached image).

No luck on either

- Database contains 170k usernames, emails, hashed passwords, IPs.

hashed passwords : Does that mean that the passwords were encrypted when they stole the database?

Any possibility for them to recover the real passwords?

I too struggled to login again, I was lucky that I could reset my password . . .

It’s quite disappointing that Comodo didn’t send emails immediately to their users to inform them what happened . . .
It was by coincidence that I read this thread to find out about it . . .
Seriously Comodo, we are talking about security here . . .
Unbelievable . . .

I changed my password after the administrator reset
I used the forgotten password function
For me, everything went well

I use SMF as a forum as administrator
The passwords are on a MySql database on the server.
When a user saves the password, it is encrypted with SHA1 in the database.
Note: In SQL language, the SHA1 () function allows you to encrypt a character string in the form of a 40 character hexadecimal string. … This SQL function is commonly used for key hashing or as a cryptography function to store a password.
To recover encrypted passwords you need to know the encryption key

Edit: Since encryption is a hash based on non-linear functions, there is no decryption method. This means that to find the password corresponding to a sha-1 hash, there is no other choice than to try all possible passwords!
Technically, this would take several thousand years, even on the most powerful computer on the world.

Hello Zorkas,

Thanks for your explanation, it removes some sweat drops from my forehead :slight_smile:

However . . . I don’t feel very confident and very secure about the SHA-1 function being used as encryption algorithm.
My feeling is enforced by reading the Wiki article SHA-1 - Wikipedia

The SHA-1 function is deprecated by many companies and replaced by much stronger encryption algorithms like SHA-256, why is Comodo still using it?

Hello CISfan,

SHA1 means Secure Hash Algorithm

How to decode SHA1? (Principle of deciphering)

Since encryption is a hash based on non-linear functions, there is no decryption method. This means that to retrieve the password corresponding to a sha-1 hash, there is no choice but to try all possible passwords!

Reminder:Hashing a file

The sha1 algorithm

Very good data encryption software (password, text) used in several languages including php, sha1 supports a file with up to 2 64-bit exponents. To better encrypt a file, sha1 uses a calculation method that changes regularly. From boolean functions, sha1 uses a bit rotation system, alternating rotations and blocks of 512 bits. The digital signature obtained is a sequence of variables

A “collision” of a hash function is called a “collision” of a hash function, a pair of data distinct from its starting set whose checksums are identical. Collisions are generally considered undesirable but are usually impossible to avoid because of the difference in size between the start and end sets of the function.
This situation is considered rare, if not impossible, depending on the quality level of the hash function. This is why a file (or a password) can be considered to have a unique signature. And therefore that a given signature can only come from a single starting file (or password).

The SMF forum uses the PHP language associated with a MySql database whose access is protected by a password different from PHP.

Edit: It is often said that SHA1 is not safe. There are risks of collisions.
In the real world:
For example, let’s take an 8-character password containing only lowercase characters. That makes 26^8 = 208 billion combinations !

Still no luck today think I’ll try again this time next month!

Thanks for sharing some details regarding the workings of SHA function. Very comforting words, I appreciate it.
I understand the principle behind the SHA-1 function being it a strong protection.

Just being curious… for what reason can’t members login at the moment?
Is it another reason than that their passwords were being compromised?

It’s not a password compromise since the forum has been hacked.
To protect accounts:
In the SMF forum the administrator has the option to reset passwords. To reactivate the account you must enter the new password.
To do this you must first enter your email “REGISTRATION ORIGIN” to receive the reactivation link.

  • In case the email is different from the original one, it is lost.
  • In case the user profile e-mail is deleted, it is lost.
  • In case the MySQL database is corrupted, it is lost.
  • In the case where the MySQL database has been modified, it’s lost
    It should be understood that the Comodo forum works with the SMF application. This application has all the scripts under PHP associated with a MySql database which contains the IDs and passwords of the user accounts and other values.
    All MySql databases must be backed up every day, preferably at night. This is an essential function because in case of a crash, there is no means of restoring if the dump is non-existent.

So is the case that no matter what I try to get an email reset link my details are lost?

Thank you for explaining, it clarifies a lot.

You mention that “In case the email is different from the original one, it is lost” does that also mean that once you make a typo (mistake) in entering the email when resetting the password and then retry to reset the password again but now entering the correct email it is then lost too? Or does the user profile survive when making a typo in entering the email? Sounds critical to me.

Maybe the above is not applicable at all when all MySql databases are restored from backup and all users can login again after resetting their passwords, I don’t know that maybe this needs also some clarification.

As explained above
The user’s login and password is stored in the SQL database (encrypted).
During the password reset request, the login/e-mail when opening the account is compared with those registered in the SQL database if it matches with the email entered for password reactivation, it’s Ok, otherwise there is no reactivation.
If the base is damaged, it must be repaired, if this is not possible, it must be restored at the earliest possible date.

If you make a typing error, it is not serious, just correct it, but the referrer email must be in the SQL table to be validated.
Then, the script managing the sending of the email takes over.
It is possible that the procedure call under PHP in relation to the SQL database managing the reactivation is also defective, so it is the administrator who intervenes in this case.