# Somebody Is Up To No Good

## Recommended Posts

they're only as good as the encryption algorithm

Knowing forum software, that's probably "unbreakable." I believe it would have been hashed with a one-way system that's nearly impossible to decrypt, because it's not technically an encrypted form of the message (it's a "digest").

##### Share on other sites

Hey Bettina, good to see you back. I thought we had frightened you away!

Not we.... you.

Bettina

##### Share on other sites

cool!, now all the REAL hackers are coming out the closset, anyone care to pop around to my place and get this clunky old PC of mine working as it should?

theres a free beer and as many chemicals as you care to consume/sniff/look-at

##### Share on other sites

Herme,

In the log you posted, it shows that the hacker attempted to reset your password at least 13 times in 1 minute. That's an attempt every 4.6 seconds. That's got to be a program, not a person. There are people who make programs like this and deploy them into the internet. They can be programmed to seek out any accounts they can find, and it can be done for any number of reasons. Some try to hack into email accounts and take them hostage in order to send out spam. Others might want to hack into your machine and plant viruses. Whatever their reason, they don't need to know who you are or even pick you out of a number of other targets. For the most part, these programs are built to attack people at random and at such high rates that they can target thousands of accounts in a matter of seconds. For all you know, this might just be a random attack from a random source.

Not we.... you.

Bettina

BURN!!!

##### Share on other sites

I do make my passwords complex. I usually combine letters and numbers, and I sometimes forget my passwords.

I'm more concerned about somebody breaking into my database and taking the passwords from there. They are all encrypted, so I only see a long string like "b1c1539fc19d323df2af1935c595fb71". Of course, that isn't an actual encrypted password, it's just an example of what one looks like.

Do you think the encrypted passwords are secure?

Encrypted passwords can not be decrypted but one can write program that takes random words and encrypts them with same one-way algorithm. If certain word gives identical result then password is not secret any more.

This is only minor risk if passwords are too complex for random guessing.

In my humble opinion this case is not worth very much attention especially if no other attacks will follow.

.....

##### Share on other sites

The password can be broken if you know something that's been encrypted and the real text, the special md5 encryption code, or a couple other things (there are special files on the server). Some websites will leave the encryption script open letting users type in text and getting the md5 back, allowing them to hack the script. (if you notice some porn sites encript the "real" site w/ md5 -- php?site=q45ehy8... and if you get the site you hack the md5 algorithm and can then decode all the other links)

There are articles on the Internet about all this. I used to know how but that was a while ago. You just use john, it's really not that hard.

I doubt your site has any problem though -- if it's one of the big forum software programs like vb or phpbb.

##### Share on other sites

cool!, now all the REAL hackers are coming out the closset, anyone care to pop around to my place and get this clunky old PC of mine working as it should?

theres a free beer and as many chemicals as you care to consume/sniff/look-at

I heard free beer:D . Oh yeah, I'm a yank. But if you pay for the plane ticket...

##### Share on other sites

Glad to see the problemo is sorted, and I wouldn't have suspected anyone from SFN would ever do something like that, but better to be safe and check.

herme3: that type of encryption is fairly safe, however if you were to give me an encrypted password like that I could discover the password via a method known as brute force. As you cannot decode that you basically have to try every single possible combination of letters and numbers until you get it correct.

To speed up this process there are big tables listing precalculated passwords/codes. The ultime exaple of this is a 64GB table which can crack any password up to 14 characters long using any possbile characters on a standard keyboard. It would take any one computer years to calculate this, but as all the data is stored in this 64GB table, all a computer has to do is search through the table, which takes a few minutes.

Having said all of this I will conclude by saying that md5 is about the safest type of encryption and is used on all Windows systems (well, all the recent ones anyway), and don't worry about people brute forcing your database of passwords.

##### Share on other sites

I have to say that as the computing power goes up, I'm trusting md5 less and less. There have been quite a few developments in cracking it recently; as a result, I'm tending to use SHA-256 these days, which is a much better replacement. Have a look at the Wikipedia entry for some more information on the md5 algorithm - if nothing else, it makes interesting reading.

##### Share on other sites

I have to say that as the computing power goes up, I'm trusting md5 less and less. There have been quite a few developments in cracking it recently; as a result, I'm tending to use SHA-256 these days, which is a much better replacement.
Can you expand on that please. AFAIK there's the brute force method. Also as the months go by there will be more Rainbow tables (tables of precalculated passwords and corresponding md5 hashes) that can be used to quickly crack md5 encrypted passwords. Now if we combine this with the increasing efficiency of brute force attacks, and the overall increase of computing power available to the average user, it has certainly become quicker to brute force md5. Is this what you mean by "quite a few developments in cracking it recently"? Or is there something else I'm not aware of?
##### Share on other sites

I'm really not talking about brute-force here. You can use that for any sort of hashing algorithm. If you do a little searching, a couple of years ago a few (albeit obscure) cases were found in which you can deliberately create collisions. My betting is that eventually, and maybe soon, we're going to find a nasty hole in it, and all of a sudden, anyone using md5-based hashing is going to be vulnerable.

##### Share on other sites

The problem is that finding a collision won't be a problem for forum softwares. A hacker would need access to the database to find the md5 hash anyways, and if he has access to the database, it doesn't really matter any more.

##### Share on other sites

The problem is that finding a collision won't be a problem for forum softwares. A hacker would need access to the database to find the md5 hash anyways, and if he has access to the database, it doesn't really matter any more.

Exactly, and rainbow tables can be rendered useless by salting your hash.

The problem with MD5 collisions is when you're talking about binaries that could potentially be replaced with a malicious alternative with the same hash. Luckily most smart people are using SHA (for example, the FreeBSD ports system computes both MD5 + SHA-256 for a downloaded package; try finding a collision for both )

##### Share on other sites

salt the hash, and hash the hash, md5's are longer than the best tables out atm arn't they?

But I do tend to agree with Dave, my new stuff doesn't rely on md5...

##### Share on other sites

The problem is that finding a collision won't be a problem for forum softwares. A hacker would need access to the database to find the md5 hash anyways, and if he has access to the database, it doesn't really matter any more.

A lot of software, including vB, stores your md5'd password in a cookie, although I think vB md5's the password twice for additional security. Obtaining access to a cookie is relatively trivial, especially when people tick the "Remember Me" box and go and leave their computers for a while. It's an extremely common way of managing web sessions, since it authenticates the user on each page load.

##### Share on other sites

I thought most software would be sane enough to simply store a different unique session ID (not the password) as a cookie. That's how I wrote my software, at least, and I believe phpBB does it that way.

##### Share on other sites

PGP anyone?

If you're really paranoid you could use pgp to encrypt over a webserver. (assuming of course you own the webserver)

##### Share on other sites

SSL/TLS is far more efficient for HTTP traffic.

PGP was designed for more long-term storage, like emails, as they sit in the inbox for long periods of time.

##### Share on other sites

this is begining to sound more like a menu than a computer related chat.

salted hash and cookies Yummy, Ill try a byte

##### Share on other sites

I thought most software would be sane enough to simply store a different unique session ID (not the password) as a cookie. That's how I wrote my software, at least, and I believe phpBB does it that way.

You would think wouldn't you but sometimes even software engineers are dumb...

##### Share on other sites

salted hash and cookies Yummy, Ill try a byte
Haha, very good!

Waste of a post, but I had to say it! And this is General Discussion after all!

## Create an account

Register a new account