Paypal warning.

Fear · Post by **Fear** » April 22nd, 2007, 23:53

Were your passwords guessable?

I use Keepass to generate and store all my passwords. I tend to shy away from words or non-random data for important sites such as banks, etc. So far so good....

*touches wood*

Post by **TezzRexx** » April 22nd, 2007, 23:54

Dr. kitteny berk wrote:3.

2 of us were pretty much refreshing 5punk every 2 minutes while the hacking was going on, dunno about prof.

So I'd put that as the most likely cause.

Ahh, that's probably it then. Fuckers.

BTW, did we ever find out who hacked 5punk and how?

Post by **Dr. kitteny berk** » April 22nd, 2007, 23:56

Current assumption is evil people and the /uploads/ thingy.

Post by **TezzRexx** » April 22nd, 2007, 23:56

Fear wrote:Were your passwords guessable?

I use Keepass to generate and store all my passwords. I tend to shy away from words or non-random data for important sites such as banks, etc. So far so good....

*touches wood*

LOLS! You touched wood!

But to the question, "Were your passwords guessable?" I severely doubt it, knowing how much Berk and Proff win at the internets.

Post by **Dr. kitteny berk** » April 22nd, 2007, 23:59

Fear wrote:Were your passwords guessable?

Yes (not guessable, but hardly super secure etc) , but the fact is, 3 people from one small site don't all get their paypal accounts hacked within a few days unless there's something more iffy at play.

Also: paypal would fix this kind of issue in a second if they moved to a security code and password system.

Fear · Post by **Fear** » April 23rd, 2007, 0:02

Was it the same password as your forums one?

It's possible they took a dump of the sql database and brute-horse'd the md5 hashed passwords?

Whilst the link seems very likely to be 5punk I can't fathom how visiting a website could have resorted in cookies for another domain being retrieved. and even then paypal doesn't remember your password *ever*, only the browser does.

Post by **Dr. kitteny berk** » April 23rd, 2007, 0:09

Fear wrote:Was it the same password as your forums one?

It's possible they took a dump of the sql database and brute-horse'd the md5 hashed passwords?

This is likely (talking to prof)

Post by **fabyak** » April 23rd, 2007, 0:10

/me closes his PayPal account

never use the thing anyway

Sheriff Fatman · Post by **Sheriff Fatman** » April 23rd, 2007, 0:22

Dr. kitteny berk wrote:
This is likely (talking to prof)

Cracking an md5 is a bit of a bastard though isn't it?

Post by **Dr. kitteny berk** » April 23rd, 2007, 0:24

Sheriff Fatman wrote:Cracking an md5 is a bit a a bastard though isn't it?

not so much these days, especially if it's not salted.

Fear · Post by **Fear** » April 23rd, 2007, 0:26

Sheriff Fatman wrote:Cracking an md5 is a bit of a bastard though isn't it?

Because MD5 is a fixed hashing algorithm (and phpbb doesn't use a nonce) it is possible they have a massive table of well known hashed passwords.

That, and they weren't random so a dictionary or semi-dictionary based attack would take mere minutes, if not seconds.

Sheriff Fatman · Post by **Sheriff Fatman** » April 23rd, 2007, 0:31

Dr. kitteny berk wrote:
not so much these days, especially if it's not salted.

Crikey. MD5 was the the be-all-and-end-all of computer forensics with regard to proving that file X was the same file X on a paedo's computer.

Probably different circumstances, mind.

Fear · Post by **Fear** » April 23rd, 2007, 0:33

Sheriff Fatman wrote:
Crikey. MD5 was the the be-all-and-end-all of computer forensics with regard to proving that file X was the same file X on a paedo's computer.

Probably different circumstances, mind.

It still is, the likelihood of two files having the same md5 hash and having different content is phenomenally small.

Sheriff Fatman · Post by **Sheriff Fatman** » April 23rd, 2007, 0:47

Fear wrote:
Because MD5 is a fixed hashing algorithm (and phpbb doesn't use a nonce) it is possible they have a massive table of well known hashed passwords.

That's a given; but god knows how big said table would have to be to pre-empt MD5. The possibilities run into the millions.

Fear wrote:That, and they weren't random so a dictionary or semi-dictionary based attack would take mere minutes, if not seconds.

Hehe, times have changed. The last brute attack software I tested took hours to do an eight character alphanumeric password.

Post by **Dr. kitteny berk** » April 23rd, 2007, 0:53

Sheriff Fatman wrote:That's a given; but god knows how big said table would have to be to pre-empt MD5. The possibilities run into the millions.

Hehe, times have changed. The last brute attack software I tested took hours to do an eight character alphanumeric password.

Fairly huge.

http://en.wikipedia.org/wiki/Rainbow_table

Post by **ProfHawking** » April 23rd, 2007, 0:55

bearing in mind that mine wouldn't have been a common word let alone being in the dictionary, i think they either were very clever about it, or have access to a botnet with large number crunching power.

Fear · Post by **Fear** » April 23rd, 2007, 0:59

Rainbow tables are extremely fast for non-salted or non-nonced hashes. (phpbb)

Making a Faster Cryptanalytic Time-Memory Trade-Off by Philippe Oechslin wrote:Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds

That was with 2003s computation power.

Post by **Dr. kitteny berk** » April 23rd, 2007, 1:03

Fear wrote:Rainbow tables are extremely fast for non-salted or non-nonced hashes. (phpbb)

That was with 2003s computation power.

Also worth noting that it doesn't care what pass you're using if it's alphanumerical, no dictionary attack needed.

Sheriff Fatman · Post by **Sheriff Fatman** » April 23rd, 2007, 1:13

Dr. kitteny berk wrote:
Also worth noting that it doesn't care what pass you're using if it's alphanumerical, no dictionary attack needed.

Doesn't that make it harder to crack though? I thought dictionary attacks were a piece of piss.

/slightly behind the times

Post by **ProfHawking** » April 23rd, 2007, 1:14

yes i know the difference between brute-horse and dictionary, but i didnt realise rainbow tables made it so fast, it is rather worrying.
no chance of this salt in phpbb?