|
Title: Forum passwords. Post by: Anonymous on September 09, 2011, 08:00:53 PM Are they properly encrypted and salted? Again, it seems the site has been compromised. Should we be changing our passwords?
Title: Re: Forum passwords. Post by: JeffK on September 09, 2011, 08:08:11 PM No one cares about fakeposting under your account, but checking if a site properly salted/hashed passwords should have been done before we all signed up.
Title: Re: Forum passwords. Post by: memvola on September 09, 2011, 08:27:54 PM No one cares about fakeposting under your account, but checking if a site properly salted/hashed passwords should have been done before we all signed up. Thanks for the insight. Title: Re: Forum passwords. Post by: LightRider on September 11, 2011, 04:57:57 AM https://www.grc.com/haystack.htm
Title: Re: Forum passwords. Post by: captainteemo on September 11, 2011, 05:02:41 AM Are they properly encrypted and salted? Again, it seems the site has been compromised. Should we be changing our passwords? 1. No one cares about your bitcoin forum account.2. SHA1 is insecure and broken. 3. This is running an extremely outdated version of SMF. Title: Re: Forum passwords. Post by: warweed on September 11, 2011, 05:07:27 AM Brute Force Search Space Analysis:
Search Space Depth (Alphabet): 26+26+10+33 = 95 Search Space Length (Characters): 15 characters Exact Search Space Size (Count): (count of all possible passwords with this alphabet size and up to this password's length) 468,219,860,267, 835,848,675,991,626,495 Search Space Size (as a power of 10): 4.68 x 1029 Time Required to Exhaustively Search this Password's Space: Online Attack Scenario: (Assuming one thousand guesses per second) 1.49 hundred thousand trillion centuries Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 1.49 billion centuries Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second) 1.49 million centuries Note that typical attacks will be online password guessing :D Title: Re: Forum passwords. Post by: captainteemo on September 11, 2011, 05:09:31 AM Brute Force Search Space Analysis: You don't need to bruteforce it and get what password you used. It's SHA1. You just need to have another input that results in the same hash.Search Space Depth (Alphabet): 26+26+10+33 = 95 Search Space Length (Characters): 15 characters Exact Search Space Size (Count): (count of all possible passwords with this alphabet size and up to this password's length) 468,219,860,267, 835,848,675,991,626,495 Search Space Size (as a power of 10): 4.68 x 1029 Time Required to Exhaustively Search this Password's Space: Online Attack Scenario: (Assuming one thousand guesses per second) 1.49 hundred thousand trillion centuries Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second) 1.49 billion centuries Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second) 1.49 million centuries Note that typical attacks will be online password guessing :D Title: Re: Forum passwords. Post by: deepceleron on September 11, 2011, 05:12:26 AM Note that typical attacks will be online password guessing Note that the typical attack will be running a stolen database through dedicated cracking rigs. About 1/5 of user's mtgox passwords were cracked and published within days of the compromise. It was also clear that the original plaintext was found and not some hash-matching string of garbage. |