Forum passwords.

[Anonymous]

Are they properly encrypted and salted? Again, it seems the site has been compromised. Should we be changing our passwords?

[JeffK]

No one cares about fakeposting under your account, but checking if a site properly salted/hashed passwords should have been done before we all signed up.

[memvola]

No one cares about fakeposting under your account, but checking if a site properly salted/hashed passwords should have been done before we all signed up.

Thanks for the insight.

[LightRider]

https://www.grc.com/haystack.htm

[captainteemo]

Are they properly encrypted and salted? Again, it seems the site has been compromised. Should we be changing our passwords?

1. No one cares about your bitcoin forum account.
2. SHA1 is insecure and broken.
3. This is running an extremely outdated version of SMF.

[warweed]

Brute Force Search Space Analysis:
Search Space Depth (Alphabet):   26+26+10+33 = 95
Search Space Length (Characters):   15 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)   468,219,860,267,
835,848,675,991,626,495
Search Space Size (as a power of 10):   4.68 x 1029
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second)   1.49 hundred thousand trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)   1.49 billion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)   1.49 million centuries
Note that typical attacks will be online password guessing

[captainteemo]

Brute Force Search Space Analysis:
Search Space Depth (Alphabet):   26+26+10+33 = 95
Search Space Length (Characters):   15 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)   468,219,860,267,
835,848,675,991,626,495
Search Space Size (as a power of 10):   4.68 x 1029
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second)   1.49 hundred thousand trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)   1.49 billion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)   1.49 million centuries
Note that typical attacks will be online password guessing

You don't need to bruteforce it and get what password you used. It's SHA1. You just need to have another input that results in the same hash.

[deepceleron]

Note that typical attacks will be online password guessing

Note that the typical attack will be running a stolen database through dedicated cracking rigs. About 1/5 of user's mtgox passwords were cracked and published within days of the compromise. It was also clear that the original plaintext was found and not some hash-matching string of garbage.