• Ask us about the forums v9
    4,984 replies, posted
[QUOTE=Mokkan13;26504729]Alright I'm tired yes but it seems pretty obvious that that announcement is saying md5 hash's of password's were copied.. so, if that's not password theft why are we all changing our passwords.[/QUOTE] It was taken from another site, not Facepunch.
What That's exactly what they said, you're just splitting hairs over it. It's a serious issue dealing with passwords whichever dumb way you want to put it, so quit pretending you have a reason to be an asshat to people in this thread
[QUOTE=Dragon;26504810]What That's exactly what they said, you're just splitting hairs over it. It's a serious issue dealing with passwords whichever dumb way you want to put it, so quit pretending you have a reason to be an asshat to people in this thread[/QUOTE] The difference is that one way I'm at fault for it and the other is I'm not.
But the problem is it still concerns facepunch users and you are handling it awfully
[QUOTE=Dragon;26505082]But the problem is it still concerns facepunch users and you are handling it awfully[/QUOTE] When did I say that it never concerned them, and I've been answering any questions that were asked about it on steam or over PM, including resetting accounts for people who get stuck in waiting for activation.
or you could've just told everyone and not just the people who pm'd you. Would've saved you and me some time
[QUOTE=alt;26505425]or you could've just told everyone and not just the people who pm'd you. Would've saved you and me some time[/QUOTE] I think he was trying to buy some time for the people who where on the list for them to change their password.
[QUOTE=kapin_krunch;26505742]I think he was trying to buy some time for the people who where on the list for them to change their password.[/QUOTE] Yeah, before announcement: okay I have this list, but now what? probably a different salt to facepunch After: Oooh this list works on facepunch, now lets try as many as we can before they change password.
It doesn't (hopefully). The problem is some dude can use a lookup table and figure out the plaintext passwords of a few of those and then try those on FP
[QUOTE=Dragon;26506978]It doesn't (hopefully). The problem is some dude can use a lookup table and figure out the plaintext passwords of a few of those and then try those on FP[/QUOTE] A salt was never used or was in the database?
Not on the off-site thing, I hear
[QUOTE=Dragon;26507211]Not on the off-site thing, I hear[/QUOTE] ouch, but still, if facepunch uses one, that at least blocks the logging on through salt thing, as the hashs would not match, still lets the dictionary attack work though :-S
How do you go about getting unbanned? I made an appeal ban for an account I had banned a year ago and I wasn't unbanned? Is there like an outline to make an appeal or something.
[QUOTE=Kid Cudi;26507778]How do you go about getting unbanned? I made an appeal ban for an account I had banned a year ago and I wasn't unbanned? Is there like an outline to make an appeal or something.[/QUOTE] After a year if it hasn't been unbanned already it probably never will be.
[QUOTE=Mattyyyy;26507890]After a year if it hasn't been unbanned already it probably never will be.[/QUOTE] I waited 13 months and I got unbanned :v:
I got unbanned after a year. Still love Hezzy for that one. :buddy:
[QUOTE=Kid Cudi;26507778]How do you go about getting unbanned? I made an appeal ban for an account I had banned a year ago and I wasn't unbanned? Is there like an outline to make an appeal or something.[/QUOTE] Why was it banned?
[QUOTE=Mattyyyy;26508290]Why was it banned?[/QUOTE] gimmick account. anyways, i haven't tried to appeal for it until now.
[QUOTE=nekosune;26507242]ouch, but still, if facepunch uses one, that at least blocks the logging on through salt thing, as the hashs would not match, still lets the dictionary attack work though :-S[/QUOTE] You misunderstood the issue at hand. If the hashes happen to be in a precomputed table (Rainbow Tables, etc), you could be able to get the password. You'd then use said password to attempt to login to FP, and if the individual used the same password here, or used the same Username/Pass combo on any other site, every one of them could be compromised. This has absolutely nothing to do with the hashes in FP's database, period.
[QUOTE=windwakr;26508353]Why is there a password on the miscellaneous forums? [url]http://www.facepunch.com/forumdisplay.php?f=306[/url][/QUOTE] They were being spammed by gold members if my memory serves me correctly. They are locked until there are enough mods for that area too i think.
[QUOTE=not_Morph53;26508755]You misunderstood the issue at hand. If the hashes happen to be in a precomputed table (Rainbow Tables, etc), you could be able to get the password. You'd then use said password to attempt to login to FP, and if the individual used the same password here, or used the same Username/Pass combo on any other site, every one of them could be compromised. This has absolutely nothing to do with the hashes in FP's database, period.[/QUOTE] Exactly, rainbow tables only work with precomputed hashes, AKA a dictionary, AKA a dictionary attack, I was saying that Compwhizzi mentioning the VB4 ability to log in with a md6 hash through the cookie is useless, but since no salt, that attack would work. We are talking about basically the same thing, different names.
[QUOTE=kapin_krunch;26493152] Why the hell are you so vague about what is happening compwhizii? It's not like it will affect anything if you told us.[/QUOTE] It made him feel mysterious and powerful like some kind of sorcerer or a web developer with a god complex
[QUOTE=nekosune;26508898]Exactly, rainbow tables only work with precomputed hashes, AKA a dictionary, AKA a dictionary attack, I was saying that Compwhizzi mentioning the VB4 ability to log in with a md6 hash through the cookie is useless, but since no salt, that attack would work. We are talking about basically the same thing, different names.[/QUOTE] No actually, we are not. This has nothing to do with cookies/session hijacking, nothing to do with salts being used in VB's password hashes, and nothing to do with dictionary attacks. Nobody has access to the hashes/salt on VB, nobody is going to bother going through the effort of crafting cookies that won't work, when it's far simpler to use rainbow tables to get the Plaintext password, which could be used on other sites. This is about a table of unsalted hashes taken from somewhere else, that could be used to compromise accounts for a very small minority of Facepunch. If those specific users used weak passwords, and used the same passwords on other sites (email, facebook, steam, etc) they are utterly fucked unless they change their passwords everywhere asap. Also, using precomputed hashes to get the password is not a dictionary attack. A dictionary attack is little more then guessing a password using a list of common passwords (12345, qwerty, god, sex, etc), then using any information you may have obtained via social engineering (anniversaries, birthdays, first car, etc) and then words in the dictionary (from aardvark to zzz). With rainbow tables, you know what the password looks like after it has passed through a hashing function ( md5(), sha(), etc), and you simply search for that hash in your database in the hops of either finding the original plaintext, or a hash collision (a letter combination that yields the exact same hash, which would be useless on other sites that use different hashing algorithms, or salts).
Actually I think you are actually talking about the same thing!!! but nekowhoever called it something else
[QUOTE=Dragon;26509689]Actually I think you are actually talking about the same thing!!! but nekowhoever called it something else[/QUOTE] There is a difference, but it only really matters to closet cryptosexuals.
[QUOTE=not_Morph53;26509634]No actually, we are not. This has nothing to do with cookies/session hijacking, nothing to do with salts being used in VB's password hashes, and nothing to do with dictionary attacks. Nobody has access to the hashes/salt on VB, nobody is going to bother going through the effort of crafting cookies that won't work, when it's far simpler to use rainbow tables to get the Plaintext password, which could be used on other sites. This is about a table of unsalted hashes taken from somewhere else, that could be used to compromise accounts for a very small minority of Facepunch. If those specific users used weak passwords, and used the same passwords on other sites (email, facebook, steam, etc) they are utterly fucked unless they change their passwords everywhere asap. Also, using precomputed hashes to get the password is not a dictionary attack. A dictionary attack is little more then guessing a password using a list of common passwords (12345, qwerty, god, sex, etc), then using any information you may have obtained via social engineering (anniversaries, birthdays, first car, etc) and then words in the dictionary (from aardvark to zzz). With rainbow tables, you know what the password looks like after it has passed through a hashing function ( md5(), sha(), etc), and you simply search for that hash in your database in the hops of either finding the original plaintext, or a hash collision (a letter combination that yields the exact same hash, which would be useless on other sites that use different hashing algorithms, or salts).[/QUOTE] And what do you think rainbow tables are generated from? thin air? I mentioned the hash and salt, because comphwizzi said about the VB4 thing of loging in using a hash, nothing else, that was not what I was saying about the dictinary attack.
why is th89 such a bad moderator?
[QUOTE=vagrant;26554215]why is th89 such a bad moderator?[/QUOTE] why you are such a bad poster
He is so bad because I needed a foil to my righteous judgments
[QUOTE=kapin_krunch;26508797]They were being spammed by gold members if my memory serves me correctly. They are locked until there are enough mods for that area too i think.[/QUOTE] Not being spammed by gold members but by people trying to become gold (08'ers with only 1,500 posts and such). This was originally happening in the advanced LUA hidden forum but was then locked and so it moved over to the blogs custom forum and I believe to stop it completely all hidden custom forums are locked for now. In case anyone else was wondering for a fuller explanation too.
Sorry, you need to Log In to post a reply to this thread.