PDA

View Full Version : Hacker breaks into popular site and steals 20,000 passwords..


violentblossom
09-02-09, 21:37
Taken from Yahoo.

http://tech.yahoo.com/blogs/null/120554

Lee croft
09-02-09, 21:39
my passwords are odd so noone would ever EVER guess them

Joely-Moley
09-02-09, 21:40
Taken from Yahoo.
16 percent of passwords were a person's first name. No word on if it was their first name, but someone's.
/I]

bahahaha crap *goes and changes all passwords*

Changeling
09-02-09, 21:42
Whoa... sucks to be them :( That must be infuriating. Especially if they've used those passwords on other things :yik:

Luckily, my passwords don't fall into the category of those common passwords :D Mine are unique ;)

rickybazire
09-02-09, 21:42
My passwords are all unusual words. Well, not even words...:D

violentblossom
09-02-09, 21:43
my passwords are odd so noone would ever EVER guess them

Whoa... sucks to be them :( That must be infuriating. Especially if they've used those passwords on other things :yik:

Luckily, my passwords don't fall into the category of those common passwords :D Mine are unique ;)

me, too, lol. mine never even relate to me. :D

MattTR
09-02-09, 21:49
Wow.. thank goodness it wasn't any of us. :eek:

My passwords are hard to guess as well, and are random as heck. :p

I guess it was a lesson worth learning.

lararoxs
09-02-09, 21:52
I see the risk with all this and I'm sympathetic to all those that got trapped in this mess, but dont you think its common sense to random a password up a bit? Especially for emails and bank accounts as they probably use the same one for both. I mean abc123? or a single character?:rolleyes:

EmeraldFields
09-02-09, 21:52
My password is random numbers and letters.:D

Joely-Moley
09-02-09, 21:53
So I'm the only idiot that had his first name as his password?
Looks like it. To be fair I did have numbers after it.

:(

Saphyre
09-02-09, 21:58
Mines random too, consists of both letters and numbers, the best way.

*laralover*
09-02-09, 22:07
Dam..Well my passwords are letters and numbers so im ok :D

Encore
09-02-09, 22:23
Interesting news (and scary).

The passwords I use are so completely random that no one would guess. :p

Drone
09-02-09, 22:30
poor things. Being programmer myself I also visit such sites very often.

But anyway as they said it's just a message board so who cares

TRLegendLuver
09-02-09, 22:30
Everyone of my passwords from a site are all different, there isn't one to another that is the same, and their all numbers with letters or phrases, etc. Too crazy for any hacker.

Sir Croft
09-02-09, 22:43
My passwords are never the same and always have numbers and letters and sometimes even special characters like %$#@ etc..

Ikas90
10-02-09, 01:37
No one can guess my password. :pi: After my MSN got hacked, I received this excellent boost in brain power and changed my password to something tough. :rolleyes:

spikejones
10-02-09, 02:18
hehe... I like using letters and numbers and symbols in my passwords and I hate it when a site software spits out errors saying i cant use the symbols :mad:

I can think of a few other easy passwords too, which I am surprised are not on that list.
Wow.. thank goodness it wasn't any of us. :eek:

My passwords are hard to guess as well, and are random as heck. :p

I guess it was a lesson worth learning.
hmm... nah.. they didn't hack a person's account. they hacked the database that holds all that information. they're up to bigger and better things than petty forum account hacking. :mis: they could easily take down the entire forum by gaining access to the database.

digitizedboy
10-02-09, 02:41
The password I use is flubberbubble

haha.. you thought it was that easy?

seriously though, it's easy to get a password. I won't give details of how though, I might get banned. :| Neither am I that malicious anyway, or bothered. Just saying that's all.

spikejones
10-02-09, 03:13
^ I'm not scurred. All in the interest of education my friends, I present to you:
http://sectools.org/crackers.html ;)

of course... cracking passwords on the OS is much different from cracking passwords on a forum. At least as far as I am aware. The password authentication takes place on a different machine in that case, so hacking the server may be easier than to "crack" a users password.

dox online
10-02-09, 06:18
This forum has a better security than the PHPBB forum software, right?
I have nothing for anyone to gain out of hacking my account.
BTW anyone know how to change the default font that the user uses?

mammacatta
10-02-09, 07:49
I got a valuble tip when I was a student. The teatcher sad to us to make a password of a song or something.
For ex:
Ib1hdn - Its been a hard days night.
1o16vV - one of sixteen vessel virgins

That is virtuall inpossible to crack, you have to know someone perfecly to guess those.

But I dont use that, its just a tip for those with just a name.

Punaxe
10-02-09, 07:52
Doesn't phpBB use MD5 encryption for all passwords? I know it's been cracked, but decrypting all 20.000 passwords I'd think would still take a while...

mammacatta
10-02-09, 07:54
Doesn't phpBB use MD5 encryption for all passwords? I know it's been cracked, but decrypting all 20.000 passwords I'd think would still take a while...

Nice password you have down there btw...;)

NightWish
10-02-09, 07:54
freaky...

ivannnnn
10-02-09, 07:59
Only me who owns my password. :p

Punaxe
10-02-09, 08:01
Nice password you have down there btw...;)

Only downside, it takes a while to memorize :p

rowanlim
10-02-09, 08:11
Unfortunate for those affected :(

I doubt anyone would be able to guess my password :D

spikejones
10-02-09, 17:27
I feel ignored :mad:

This forum has a better security than the PHPBB forum software, right?
This forum (vBulletin) afaik is based upon phpBB software - But I may be wrong.
Doesn't phpBB use MD5 encryption for all passwords? I know it's been cracked, but decrypting all 20.000 passwords I'd think would still take a while...
They didn't crack all 20,000 passwords. They cracked just ONE. The one that gains them server access to read the database. Please re-read the article and look up the term database (http://en.wikipedia.org/wiki/Database).
Unfortunate for those affected :(

I doubt anyone would be able to guess my password :D
they didn't guess anyones password tbh. they posted the list of passwords just to show how weak they were. Not that they spent time trying to crack or guess everyone's passwords. But unfortunate? perhaps... Depends on if they did anything malicious other than posting the information. But being just a chat board - what is to be gained really?

-------------------
Here's a simplified overview of how it went down:

The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.

source (http://area51.phpbb.com/phpBB/viewtopic.php?f=3&t=29973)

Punaxe
10-02-09, 17:58
I have a phpBB forum running myself, so I have access to the database, and all passwords in it are MD5 encrypted. Your source goes on to mention the improved encryption in phpBB's latest version, so am I to assume that they indeed reversed all MD5 hashes?

spikejones
10-02-09, 18:03
once gaining access to the database, its a simple enough process to unhash MD5 encryption on a text string considering that the algorithm is well documented.

MD5 is more of a "keep the honest people honest" solution. Better to use an undocumented or custom algorithm for best security.

Punaxe
10-02-09, 18:06
From what I hear it has only recently been 'properly' cracked (as in, not taking hours) using a network of PlayStation 3 consoles. Nearly every hashing algorithm is "well documented", but they're designed specifically not to be reversible :p I didn't know MD5 was in such a bad state already.

spikejones
10-02-09, 18:10
i dont think there's really anything can be irreversible - but I may be wrong. an algorithm of course is a set of rules to follow to get to a solution. so if you have the solution and the algorithm, you can work at a reverse algorithm even if its not something so simple as:

x*y=z
being reversed to be
z/y=x

where z is the hash sum and x is the original text, and *y is the "encrypting method" applied.

Andariel
10-02-09, 18:11
Meh, I'd be upset if my myspace or bank account were hacked into. Anyway, those geeks really need social lives.

violentblossom
10-02-09, 18:14
Meh, I'd be upset if my myspace or bank account were hacked into. Anyway, those geeks really need social lives.

LOL. yeah.

i just thought it was funny that so many had such lame passwords.

spikejones
10-02-09, 18:14
^hey... its those very same geeks and other like them that are working to keep your ass safe from the truly malicious pirates. You should be grateful for them.

sandygrimm
10-02-09, 18:19
I almost had mine hacked, but acted quick and changed from a 6 letter word to a 15 "letter" word O_O :vlol: sometimes I forget it

Punaxe
10-02-09, 18:19
i dont think there's really anything can be irreversible - but I may be wrong. an algorithm of course is a set of rules to follow to get to a solution. so if you have the solution and the algorithm, you can work at a reverse algorithm even if its not something so simple as:

x*y=z
being reversed to be
z/y=x

where z is the hash sum and x is the original text, and *y is the "encrypting method" applied.

Yeah, that example is indeed simple. That's why they mostly use one-way functions (http://en.wikipedia.org/wiki/One_way_function) to at least make it as difficult as possible - I can't say for sure if there are any that are truly irreversable. Until the PS3 came along, at least MD5 was apparently intractable (http://en.wikipedia.org/wiki/Intractable#Intractability).

spikejones
10-02-09, 18:52
^those terms are over my head to be honest :vlol: im not much of a programmer. I just see logic, so I could program if I learned the languages. bat file programming and the linux equivalent of executable text files is about as deep as I've delved into programming aside from a cursory look at pascal and visual basic. (and some excel equations).