How were passwords stored?

baafie · 16th February 2011, 11:01

That's the central question, yet the breach FAQ doesn't answer it. So spill the beans.

jaromanda · 16th February 2011, 11:07

code:
$password_hash = md5(md5($password_text) . $user_salt);

Batter Pudding · 16th February 2011, 20:02

The FAQ is not written in language for "normal" home users. What jaromanda is showing you is that the passwords are hidden with a couple of fairly basic encryption routines. This means that the passwords are not plain text and readable. They are encrypted (or Hashed).

They could be hacked back to a readable form, but will need a fair bit of work. For example, the hacker would have to encrypt each word in the dictionary in turn and then keep comparing the result to your encrypted password until he found a match. This is possible, but would take a lot of time.

There are modern tricks to shorten this time, but it still takes time. The main point is - your password cannot not be quickly read.

What you should pick up from this is: Don't use the same password on important websites. If you haven't already done it, change that password here and on any other websites you use it.

The messier your password is, the harder it is to crack (Ghu87HJ$$ju82H is much harder than password1 or 12345678 to crack)

[To others reading this - I know I have over simplified the above description... so don't start picking me up on salts and so forth. The idea was to explain to the OP that this could have been much worse without getting too technical]

rockouthippie · 16th February 2011, 20:38

Quote:

The messier your password is, the harder it is to crack (Ghu87HJ$$ju82H is much harder than password1 or 12345678 to crack)

With brute force........ it doesn't matter when unencrypting a hash.

MD5 is vulnerable. It's also widely used. The U. S. Department of Homeland Security said MD5 "should be considered cryptographically broken and unsuitable for further use".

It is better than nothing.

Webs you visit every day get hacked every day. It's the nature of the beast. I'd expect spam filters will probably cure any of our email ills. I cleared all my spam mails Feb 1 and half way through the month, I have 411 spams.

I'd expect, since someone wanted the email addresses of people using the forum, what? I'm gonna have 412?

Batter Pudding · 16th February 2011, 21:01

What I was trying to point out is that a simple dictionary word is compromised in seconds. Many of those rainbow tables will already have been filled with the common passwords and Webster's Dictionary. A random mess of characters will take longer. (I have seen the Chinese smashing at the doors of FTP servers I monitor... and it is funny seeing the password lists they try)

And yes, MD5 like WEP and many of the older encryptions have been proved to have errors in the maths that can make cracking easier. Just think of the feeble computing power we had back when these were invented... and now we walk around with the equivalent of a 1980s super computer in our pockets. What do you think the inventor of the MD5 algorithm would have thought it you had waved an iPhone at him!!

And you are right - websites get hacked. All the time. At least Winamp told everyone about it (after they closed the security holes). Yes, this is a legal requirement to tell people - but how many forums do you think get silently hacked and repaired? Going by some of the spam I get on my "forum only" email addresses, I think that is fairly high.

jaromanda · 16th February 2011, 21:03

re spam

I don't get much spam at all (maybe 3 on a bad day) on the email address I used to register here, so, it'll be interesting if that spikes suddenly

Batter Pudding · 16th February 2011, 21:24

I use this email address on a dozen or so forums. And no where else. It is noticeable that it has either been hacked and sold, or just sold previously.

The address used here is just an ISP supplied one. And they now get Google to look after the accounts. So most of the spam stops at the Google borders, so cannot tell how much it gets.

I have 35 mailboxes I check, and spam levels are next to nothing. Surprised if I see a couple a month in total. But then, I am a paranoid git who don't trust anyone with my details. No Facebook or Twatter account. No leaving personal details strewn all over the place. Careful as to who I signup with.

Anything with credit cards (Paypal, Amazon, Ebay, Tax, etc) all get unique addresses. With a hack like has happened here at Winamp, I guess there are people here with a SINGLE Hotmail email address they use EVERYWHERE. With some of those having the same password for each account. I have seen clients of mine get hacked and badly scammed that way. They then get a kick up the arse from me and a lecture to not be so silly in future. No one has the same door key for house, work, car and bank vault - so why use the same password?

16th February 2011, 11:01	#1
baafie feminazi (Major Dude) Join Date: Apr 2001 Posts: 1,767	How were passwords stored? That's the central question, yet the breach FAQ doesn't answer it. So spill the beans.

16th February 2011, 11:07	#2
jaromanda Forum King Join Date: Jun 2007 Location: Under the bridge Posts: 2,290	code: $password_hash = md5(md5($password_text) . $user_salt); "If you don't like DNAS, write your own damn system" So I did

16th February 2011, 21:03	#6
jaromanda Forum King Join Date: Jun 2007 Location: Under the bridge Posts: 2,290	re spam I don't get much spam at all (maybe 3 on a bad day) on the email address I used to register here, so, it'll be interesting if that spikes suddenly "If you don't like DNAS, write your own damn system" So I did

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

16th February 2011, 20:02	#3
Batter Pudding Major Dude Join Date: Jun 2008 Posts: 1,665	The FAQ is not written in language for "normal" home users. What jaromanda is showing you is that the passwords are hidden with a couple of fairly basic encryption routines. This means that the passwords are not plain text and readable. They are encrypted (or Hashed). They could be hacked back to a readable form, but will need a fair bit of work. For example, the hacker would have to encrypt each word in the dictionary in turn and then keep comparing the result to your encrypted password until he found a match. This is possible, but would take a lot of time. There are modern tricks to shorten this time, but it still takes time. The main point is - your password cannot not be quickly read. What you should pick up from this is: Don't use the same password on important websites. If you haven't already done it, change that password here and on any other websites you use it. The messier your password is, the harder it is to crack (Ghu87HJ$$ju82H is much harder than password1 or 12345678 to crack) [To others reading this - I know I have over simplified the above description... so don't start picking me up on salts and so forth. The idea was to explain to the OP that this could have been much worse without getting too technical]

16th February 2011, 21:01	#5
Batter Pudding Major Dude Join Date: Jun 2008 Posts: 1,665	What I was trying to point out is that a simple dictionary word is compromised in seconds. Many of those rainbow tables will already have been filled with the common passwords and Webster's Dictionary. A random mess of characters will take longer. (I have seen the Chinese smashing at the doors of FTP servers I monitor... and it is funny seeing the password lists they try) And yes, MD5 like WEP and many of the older encryptions have been proved to have errors in the maths that can make cracking easier. Just think of the feeble computing power we had back when these were invented... and now we walk around with the equivalent of a 1980s super computer in our pockets. What do you think the inventor of the MD5 algorithm would have thought it you had waved an iPhone at him!! And you are right - websites get hacked. All the time. At least Winamp told everyone about it (after they closed the security holes). Yes, this is a legal requirement to tell people - but how many forums do you think get silently hacked and repaired? Going by some of the spam I get on my "forum only" email addresses, I think that is fairly high.

16th February 2011, 21:24	#7
Batter Pudding Major Dude Join Date: Jun 2008 Posts: 1,665	I use this email address on a dozen or so forums. And no where else. It is noticeable that it has either been hacked and sold, or just sold previously. The address used here is just an ISP supplied one. And they now get Google to look after the accounts. So most of the spam stops at the Google borders, so cannot tell how much it gets. I have 35 mailboxes I check, and spam levels are next to nothing. Surprised if I see a couple a month in total. But then, I am a paranoid git who don't trust anyone with my details. No Facebook or Twatter account. No leaving personal details strewn all over the place. Careful as to who I signup with. Anything with credit cards (Paypal, Amazon, Ebay, Tax, etc) all get unique addresses. With a hack like has happened here at Winamp, I guess there are people here with a SINGLE Hotmail email address they use EVERYWHERE. With some of those having the same password for each account. I have seen clients of mine get hacked and badly scammed that way. They then get a kick up the arse from me and a lecture to not be so silly in future. No one has the same door key for house, work, car and bank vault - so why use the same password?