Page 2 of 4
Posted: April 22nd, 2007, 23:53
by Fear
Were your passwords guessable?
I use Keepass to generate and store all my passwords. I tend to shy away from words or non-random data for important sites such as banks, etc. So far so good....
*touches wood*
Posted: April 22nd, 2007, 23:54
by TezzRexx
Dr. kitteny berk wrote:3.
2 of us were pretty much refreshing 5punk every 2 minutes while the hacking was going on, dunno about prof.
So I'd put that as the most likely cause.
Ahh, that's probably it then. Fuckers.
BTW, did we ever find out who hacked 5punk and how?
Posted: April 22nd, 2007, 23:56
by Dr. kitteny berk
Current assumption is evil people and the /uploads/ thingy.
Posted: April 22nd, 2007, 23:56
by TezzRexx
Fear wrote:Were your passwords guessable?
I use Keepass to generate and store all my passwords. I tend to shy away from words or non-random data for important sites such as banks, etc. So far so good....
*touches wood*
LOLS! You touched wood!
But to the question, "Were your passwords guessable?" I severely doubt it, knowing how much Berk and Proff win at the internets.
Posted: April 22nd, 2007, 23:59
by Dr. kitteny berk
Fear wrote:Were your passwords guessable?
Yes (not guessable, but hardly super secure etc) , but the fact is, 3 people from one small site don't all get their paypal accounts hacked within a few days unless there's something more iffy at play.
Also: paypal would fix this kind of issue in a second if they moved to a security code and password system.
Posted: April 23rd, 2007, 0:02
by Fear
Was it the same password as your forums one?
It's possible they took a dump of the sql database and brute-horse'd the md5 hashed passwords?
Whilst the link seems very likely to be 5punk I can't fathom how visiting a website could have resorted in cookies for another domain being retrieved. and even then paypal doesn't remember your password *ever*, only the browser does.
Posted: April 23rd, 2007, 0:09
by Dr. kitteny berk
Fear wrote:Was it the same password as your forums one?
It's possible they took a dump of the sql database and brute-horse'd the md5 hashed passwords?
This is likely (talking to prof)
Posted: April 23rd, 2007, 0:10
by fabyak
/me closes his PayPal account
never use the thing anyway
Posted: April 23rd, 2007, 0:22
by Sheriff Fatman
Dr. kitteny berk wrote:
This is likely (talking to prof)
Cracking an md5 is a bit of a bastard though isn't it?
Posted: April 23rd, 2007, 0:24
by Dr. kitteny berk
Sheriff Fatman wrote:Cracking an md5 is a bit a a bastard though isn't it?
not so much these days, especially if it's not salted.
Posted: April 23rd, 2007, 0:26
by Fear
Sheriff Fatman wrote:Cracking an md5 is a bit of a bastard though isn't it?
Because MD5 is a fixed hashing algorithm (and phpbb doesn't use a nonce) it is possible they have a massive table of well known hashed passwords.
That, and they weren't random so a dictionary or semi-dictionary based attack would take mere minutes, if not seconds.
Posted: April 23rd, 2007, 0:31
by Sheriff Fatman
Dr. kitteny berk wrote:
not so much these days, especially if it's not salted.
Crikey. MD5 was the the be-all-and-end-all of computer forensics with regard to proving that file X was the same file X on a paedo's computer.
Probably different circumstances, mind.
Posted: April 23rd, 2007, 0:33
by Fear
Sheriff Fatman wrote:
Crikey. MD5 was the the be-all-and-end-all of computer forensics with regard to proving that file X was the same file X on a paedo's computer.
Probably different circumstances, mind.
It still is, the likelihood of two files having the same md5 hash and having different content is phenomenally small.
Posted: April 23rd, 2007, 0:47
by Sheriff Fatman
Fear wrote:
Because MD5 is a fixed hashing algorithm (and phpbb doesn't use a nonce) it is possible they have a massive table of well known hashed passwords.
That's a given; but god knows how big said table would have to be to pre-empt MD5. The possibilities run into the millions.
Fear wrote:That, and they weren't random so a dictionary or semi-dictionary based attack would take mere minutes, if not seconds.
Hehe, times have changed. The last brute attack software I tested took hours to do an eight character alphanumeric password.
Posted: April 23rd, 2007, 0:53
by Dr. kitteny berk
Sheriff Fatman wrote:That's a given; but god knows how big said table would have to be to pre-empt MD5. The possibilities run into the millions.
Hehe, times have changed. The last brute attack software I tested took hours to do an eight character alphanumeric password.
Fairly huge.
http://en.wikipedia.org/wiki/Rainbow_table
Posted: April 23rd, 2007, 0:55
by ProfHawking
bearing in mind that mine wouldn't have been a common word let alone being in the dictionary, i think they either were very clever about it, or have access to a botnet with large number crunching power.
Posted: April 23rd, 2007, 0:59
by Fear
Rainbow tables are extremely fast for non-salted or non-nonced hashes. (phpbb)
Making a Faster Cryptanalytic Time-Memory Trade-Off by Philippe Oechslin wrote:Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds
That was with 2003s computation power.
Posted: April 23rd, 2007, 1:03
by Dr. kitteny berk
Fear wrote:Rainbow tables are extremely fast for non-salted or non-nonced hashes. (phpbb)
That was with 2003s computation power.
Also worth noting that it doesn't care what pass you're using if it's alphanumerical, no dictionary attack needed.
Posted: April 23rd, 2007, 1:13
by Sheriff Fatman
Dr. kitteny berk wrote:
Also worth noting that it doesn't care what pass you're using if it's alphanumerical, no dictionary attack needed.
Doesn't that make it harder to crack though? I thought dictionary attacks were a piece of piss.
/slightly behind the times
Posted: April 23rd, 2007, 1:14
by ProfHawking
yes i know the difference between brute-horse and dictionary, but i didnt realise rainbow tables made it so fast, it is rather worrying.
no chance of this salt in phpbb?