Old 16th February 2011, 12:01   #1
baafie
feminazi
(Major Dude)
 
baafie's Avatar
 
Join Date: Apr 2001
Posts: 1,767
How were passwords stored?

That's the central question, yet the breach FAQ doesn't answer it. So spill the beans.
baafie is offline   Reply With Quote
Old 16th February 2011, 12:07   #2
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
code:
$password_hash = md5(md5($password_text) . $user_salt);

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 21:02   #3
Batter Pudding
Major Dude
 
Batter Pudding's Avatar
 
Join Date: Jun 2008
Posts: 1,665
The FAQ is not written in language for "normal" home users. What jaromanda is showing you is that the passwords are hidden with a couple of fairly basic encryption routines. This means that the passwords are not plain text and readable. They are encrypted (or Hashed).

They could be hacked back to a readable form, but will need a fair bit of work. For example, the hacker would have to encrypt each word in the dictionary in turn and then keep comparing the result to your encrypted password until he found a match. This is possible, but would take a lot of time.

There are modern tricks to shorten this time, but it still takes time. The main point is - your password cannot not be quickly read.

What you should pick up from this is: Don't use the same password on important websites. If you haven't already done it, change that password here and on any other websites you use it.

The messier your password is, the harder it is to crack (Ghu87HJ$$ju82H is much harder than password1 or 12345678 to crack)


[To others reading this - I know I have over simplified the above description... so don't start picking me up on salts and so forth. The idea was to explain to the OP that this could have been much worse without getting too technical]
Batter Pudding is offline   Reply With Quote
Old 16th February 2011, 21:38   #4
rockouthippie
Banned
 
rockouthippie's Avatar
 
Join Date: Jun 2004
Location: Oregon
Posts: 11,002
Quote:
The messier your password is, the harder it is to crack (Ghu87HJ$$ju82H is much harder than password1 or 12345678 to crack)
With brute force........ it doesn't matter when unencrypting a hash.

MD5 is vulnerable. It's also widely used. The U. S. Department of Homeland Security said MD5 "should be considered cryptographically broken and unsuitable for further use".

It is better than nothing.

Webs you visit every day get hacked every day. It's the nature of the beast. I'd expect spam filters will probably cure any of our email ills. I cleared all my spam mails Feb 1 and half way through the month, I have 411 spams.

I'd expect, since someone wanted the email addresses of people using the forum, what? I'm gonna have 412?
rockouthippie is offline   Reply With Quote
Old 16th February 2011, 22:01   #5
Batter Pudding
Major Dude
 
Batter Pudding's Avatar
 
Join Date: Jun 2008
Posts: 1,665
What I was trying to point out is that a simple dictionary word is compromised in seconds. Many of those rainbow tables will already have been filled with the common passwords and Webster's Dictionary. A random mess of characters will take longer. (I have seen the Chinese smashing at the doors of FTP servers I monitor... and it is funny seeing the password lists they try)

And yes, MD5 like WEP and many of the older encryptions have been proved to have errors in the maths that can make cracking easier. Just think of the feeble computing power we had back when these were invented... and now we walk around with the equivalent of a 1980s super computer in our pockets. What do you think the inventor of the MD5 algorithm would have thought it you had waved an iPhone at him!!

And you are right - websites get hacked. All the time. At least Winamp told everyone about it (after they closed the security holes). Yes, this is a legal requirement to tell people - but how many forums do you think get silently hacked and repaired? Going by some of the spam I get on my "forum only" email addresses, I think that is fairly high.
Batter Pudding is offline   Reply With Quote
Old 16th February 2011, 22:03   #6
jaromanda
Forum King
 
Join Date: Jun 2007
Location: Under the bridge
Posts: 2,289
re spam

I don't get much spam at all (maybe 3 on a bad day) on the email address I used to register here, so, it'll be interesting if that spikes suddenly

Is it just me or are shoutcast users getting dumber?
jaromanda is offline   Reply With Quote
Old 16th February 2011, 22:24   #7
Batter Pudding
Major Dude
 
Batter Pudding's Avatar
 
Join Date: Jun 2008
Posts: 1,665
I use this email address on a dozen or so forums. And no where else. It is noticeable that it has either been hacked and sold, or just sold previously.

The address used here is just an ISP supplied one. And they now get Google to look after the accounts. So most of the spam stops at the Google borders, so cannot tell how much it gets.

I have 35 mailboxes I check, and spam levels are next to nothing. Surprised if I see a couple a month in total. But then, I am a paranoid git who don't trust anyone with my details. No Facebook or Twatter account. No leaving personal details strewn all over the place. Careful as to who I signup with.

Anything with credit cards (Paypal, Amazon, Ebay, Tax, etc) all get unique addresses. With a hack like has happened here at Winamp, I guess there are people here with a SINGLE Hotmail email address they use EVERYWHERE. With some of those having the same password for each account. I have seen clients of mine get hacked and badly scammed that way. They then get a kick up the arse from me and a lecture to not be so silly in future. No one has the same door key for house, work, car and bank vault - so why use the same password?
Batter Pudding is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Site Design

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump