Surely if someone can use h4x to find our passwords once, it doesn't matter what we make them because they'll just find out the new ones?
Or am I misunderstanding the problem?
[QUOTE=Darth_GW7;26501448]Surely if someone can use h4x to find our passwords once, it doesn't matter what we make them because they'll just find out the new ones?
Or am I misunderstanding the problem?[/QUOTE]
When a mod account was compromised, a guy managed to get the hashes of the passwords. You can login on accounts simply using these hashes on Facepunch. (something like &loginhash=hash or whatever). So they simply got the hashes of the previous passwords.
But if soemone manages to make a dump of these hashes again, yes, it will be the same thing.
[QUOTE=PiXeN;26501602]When a mod account was compromised, a guy managed to get the hashes of the passwords. You can login on accounts simply using these hashes on Facepunch. (something like &loginhash=hash or whatever). So they simply got the hashes of the previous passwords.
But if soemone manages to make a dump of these hashes again, yes, it will be the same thing.[/QUOTE]
Not quite how hashes work. Hashes are like an encoded form of your password that have to first be cracked in order to reveal the real password. 'Making a dump' of the passwords should no longer be possible (I hope).
Not much time to read this thread atm. If im not on the list, does that mean i'm safe?
[QUOTE=zzaacckk;26497729]I think everyone should change their Facepunch, Steam, and email password.
The hacker may have taken information from the email columns aswell.[/QUOTE]
Steam don't use MD5 authentication as far as I know.
[editline]5th December 2010[/editline]
[QUOTE=Execro;26501965]Not quite how hashes work. Hashes are like an encoded form of your password that have to first be cracked in order to reveal the real password. 'Making a dump' of the passwords should no longer be possible (I hope).[/QUOTE]
You don't need to reveal the password. You just need to send it in the right way (Not using &stuff=hash)
[QUOTE=Flapadar;26502266]Steam don't use MD5 authentication as far as I know.
[editline]5th December 2010[/editline]
You don't need to reveal the password. You just need to send it in the right way (Not using &stuff=hash)[/QUOTE]
Yeah no, you do have to use the plaintext password to login, otherwise hashing said password in the DB would be rather useless.
i wasn't bothered looking for my name so i said fuck it.
So what does it mean to have your name on the list?
[QUOTE=johnkane46;26502371]i wasn't bothered looking for my name so i said fuck it.[/QUOTE]
:raise:
Ctrl+F
[editline]5th December 2010[/editline]
[QUOTE=angelangel;26502411]So what does it mean to have your name on the list?[/QUOTE]
It means you have to change your password.
Wait so are you trying to tell me that having the same password for facepunch, youtube, steam, online banking and paypal is a bad idea?
[QUOTE=rieda1589;26502426]:raise:
Ctrl+F
[editline]5th December 2010[/editline]
It means you have to change your password.[/QUOTE]
Actually I was wondering what I did or didn't to get my username up there.
[QUOTE=DrTaxi;26502363]Yeah no, you do have to use the plaintext password to login, otherwise hashing said password in the DB would be rather useless.[/QUOTE]
Ok, according to your theory there comprimising an account using a hash will take ~5 billion years
Who stole the hashes? Turb?
Oh fuck, my main is on the list!
[QUOTE=Flapadar;26502564]Ok, according to your theory there comprimising an account using a hash will take ~5 billion years[/QUOTE]
Not really, depends on how secure your password is. You can brute force insecure passwords that have been MD5 hashed with relative ease.
[QUOTE=Robber;26502580]Who stole the hashes? Turb?[/QUOTE]
Both turb and vladh most likely, I know vlad got his hands on them in the past, that was how he got into Lithifold's account.
On the topic of brute forcing MD5 hashes, this calculator shows how long it would take for your password: [url]http://lastbit.com/pswcalc.asp[/url]
[QUOTE=Execro;26503002]Not really, depends on how secure your password is. You can brute force insecure passwords that have been MD5 hashed with relative ease.[/QUOTE]
Only using a table of hashes. And it's still incredibly inefficient.
[QUOTE=Flapadar;26503132]Only using a table of hashes. And it's still incredibly inefficient.[/QUOTE]
Why would you need a table? Assuming you know how the encryption works you just keep trying passwords until it spits out a hash that matches the one you're trying to crack.
[QUOTE=Execro;26503188]Why would you need a table? Assuming you know how the encryption works you just keep trying passwords until it spits out a hash that matches the one you're trying to crack.[/QUOTE]
It's faster using a table. If you try calculating the MD5 of A and then B then AB, you'll be there forever, since MD5 is in itself a slow algorithm, so you severely reduce the number of comparisons per second you can do.
[QUOTE=Flapadar;26503212]It's faster using a table. If you try calculating the MD5 of A and then B then AB, you'll be there forever, since MD5 is in itself a slow algorithm, so you severely reduce the number of comparisons per second you can do.[/QUOTE]
That's good to know. From the reading I've done you can quite easily achieve 300,000 passwords per second (I don't think the algorithm is as slow as you think). Although that wouldn't be able to crack secure passwords in any reasonable length of time it would crack the insecure ones in a matter of minutes.
[QUOTE=DrTaxi;26502363]Yeah no, you do have to use the plaintext password to login, otherwise hashing said password in the DB would be rather useless.[/QUOTE]
vBulletin allows people to log in with an MD5'd password
compwhizii, you should not leave facepunch, cause you are a good coder.
Really? Usernames like that exist?
I can understand hacking someone on facebook or world of warcraft, but a facepunch account? You need to aim a bit higher, amigo.
[QUOTE=Execro;26503292]That's good to know. From the reading I've done you can quite easily achieve 300,000 passwords per second (I don't think the algorithm is as slow as you think). Although that wouldn't be able to crack secure passwords in any reasonable length of time it would crack the insecure ones in a matter of minutes.[/QUOTE]
There's 53459728531456 unique combinations for a-z/A-Z 8 character password, or 50,000 hours (max of 5.6 years). The insecure passwords can be captured by saving hashes. For example, if you have "manchester", you can save the hash. You could even do that in Lua - nevermind any better language.
[lua]local md5s = {
}
for k , v in pairs(dictionary) do
md5s[v] = md5hash(v)
end
local function force(str)
return md5s[str] or ""
end
[/lua]
All you need is a table of common words and you can dictionary attack it.
compiwhizii, can you send an activation mail to adzcis101(at)hotmail(dot)com, he seems to have some problem with the activation.
Everyone who's on the list should change their passwords, right?
[QUOTE=SEKCobra;26503679]compiwhizii, can you send an activation mail to adzcis101(at)hotmail(dot)com, he seems to have some problem with the activation.[/QUOTE]
I think there is something wrong with hotmail and activation.
I tried it with that yesterday and nothing appeared but then I used a gmail email and it worked fine.
Tell him to change it to a gmail account.
[editline]5th December 2010[/editline]
[QUOTE=w0lfeh;26503702]Everyone who's on the list should change their passwords, right?[/QUOTE]
Indeed.
[QUOTE=compwhizii;26503329]vBulletin allows people to log in with an MD5'd password[/QUOTE]
Now thats just retarded.
Sorry, you need to Log In to post a reply to this thread.