Forums
First  << 1  2  3 >>  Last
Forum Main>>General Discussion>> Security breach - more detail please
Super secret reinforced spam barrier 2.0
ludcivious

ID: 975830
Level: 35
Posts: 164
Score: -101
ludcivious [975830]Reply | Quote | Report

Posted on Wed Jun 05, 2013 12:48:56
By gandalfoftheday [1634814]
Please reply this thread seriously. It's a commercial site with thousands of users. Now for the facts:
1. Most people here are not security experts, using same password for many sites.

This is their problem.. educate yourself and use more common sense in respect to your passwords.
2. A simple md5 password can be cracked in seconds (mysql standard encyripton)

MD5 is NOT encryption! it is an encoding!
3. If they have our passwords, they have our accounts at least here in torn. Think a little bit long term.
4. They can spam our mails if nothing else.
5. Thank you to everyone for getting back the site but this is far more important than loosing some virtual items and cash.
6. Changing password here doesn't stop them use it in different sites etc etc.
No need for more. Hope you got the point. Pls make a better explaination...



Last Edited: Wed Jun 05, 2013 12:51:32
Super secret reinforced spam barrier 2.0
pimptastic

ID: 427672
Level: 62
Posts: 858
Score: 428
pimptastic [427672]Reply | Quote | Report

Posted on Thu Jun 06, 2013 04:43:57
By MightyGoober [812478]
By Driving [1497275]
well they have our passwords, just encrypted.

I'm suprised they didn't suggest we change them?

Pretty sure any encryption can be eventually solved/brute forced.


Password encryption is a one way street without an encryption key. (The type described by Ched in his post)

The very first time you set your password, it is hash'ed with a key set by TC. In the database your password looks like: u5hb65i4biub32oiuyv5o3uy2v5ouy32biu2b4

When you log in, it takes your password and hash'es is exactly the same way, and does a boolean comparison.
if ("u5hb65i4biub32oiuyv5o3uy2v5ouy32biu2b4" == "u5hb65i4biub32oiuyv5o3uy2v5ouy32biu2b4") {
// Log in


Anyway, main point - as long as the encryption key was not compromised you have nothing to worry about.

If they get hashed with the same key/cypher and your post is true then anyone with a brain would have worked out they have got a hash of a known(or with multis/others) a handful of known passwords.

u5hb65i4biub32oiuyv5o3uy2v5ouy32biu2b4 = u5hb65i4biub32oiuyv5o3uy2v5ouy32biu2b4 = knownpasswords/key

It still isn't lots but it would greatly improve chances for them by giving them known parts to use.

Make sure to check out my bazaar for tons of great deals.
Super secret reinforced spam barrier 2.0
Turmoil

ID: 1602605
Level: 49
Posts: 816
Score: 964
Turmoil [1602605]Reply | Quote | Report

Posted on Thu Jun 06, 2013 15:11:38
By ryan_mc44567 [326467]


Edit: For all the people worried about their passwords:
--> It'll take millions of years to crack just one [if they were kept as advertised] <--


The million years is to try by all possible combinations. But it is possible, but not likely, to crack it upon the first try.

Just my luck ! I am changing all the passwords, on all of my different sites, to 128 bit, and then burying them in the backyead.



Super secret reinforced spam barrier 2.0
Incisive
ID: 1312721
Level: 39
Posts: 63
Score: 21
Incisive [1312721]Reply | Quote | Report

Posted on Thu Jun 06, 2013 15:36:18
By Turmoil [1602605]
By ryan_mc44567 [326467]


Edit: For all the people worried about their passwords:
--> It'll take millions of years to crack just one [if they were kept as advertised] <--


The million years is to try by all possible combinations. But it is possible, but not likely, to crack it upon the first try.

Just my luck ! I am changing all the passwords, on all of my different sites, to 128 bit, and then burying them in the backyead.



More like an hour or two than a million years. It's not as hard as people are making it out to be.


Super secret reinforced spam barrier 2.0
Belwilliam

ID: 79148
Level: 74
Posts: 2408
Score: 1056
LDNBelwilliam [79148]Reply | Quote | Report

Posted on Thu Jun 06, 2013 18:33:40
I am not sure that the "salt" is unique to each password. It is just each password is salted (same salt), and then encrypted.

It is hard to break 1 password. However, the problem can be approached like analyzing a simply-encrypted language that just uses symbol substitution (frequency of letters/symbol analysis).

If they pulled multiple passwords, there are doubtless many of you that have assinine passwords like "password". They then find the encrypted passwords that are most common and then try to determine the "salt". I think this would still be hard, but is probably more in the realm of doable with current technology. I do not know much about security, but this is one simplification of the problem that might make password-cracking a tractable problem.

However, even simpler, they pull their own encrypted password out of the DB and then can directly try to calculate the "salt".

I would suggest that Ched and company decrypt and then re-salt all the passwords with a new "salt" string.

In any case, I've changed my password to an even stronger password. You guys should use something like 1Password or any other password generator + storage App to generate strong passwords.

Super secret reinforced spam barrier 2.0
Rino_007
ID: 344056
Level: 65
Posts: 4491
Score: 1505
Rino_007 [344056]Reply | Quote | Report

Posted on Fri Jun 07, 2013 13:24:00
By ryan_mc44567 [326467]
By Driving [1497275]
well they have our passwords, just encrypted.

I'm suprised they didn't suggest we change them?

Pretty sure any encryption can be eventually solved/brute forced.


Not really .. at least, not in any lifetime of ours ..
Using Rainbow-tables they might have a chance - but if the encryption is as good as they say, the passwords should be safe for a good Million years or more.

Edit: For all the people worried about their passwords:
--> It'll take millions of years to crack just one [if they were kept as advertised] <--


Actually there is a password cracker out there that can break 10 character's long passwords in maybe an hour or 2 if I recall correctly. It does something like 2 billion combinations per second (brute force) assuming they have the encryption key. In fact that cracker is so fast only like a 40+ character length password has a chance to be secure. I believe the only thing to fear is if the encryption key is safe or not. To be safe you could change your password but other than that if the encryption key itself was compromised I'd like to think the staff would warn us to change the passwords.

Super secret reinforced spam barrier 2.0
Bloods
ID: 1696973
Level: 29
Posts: 2233
Score: 1972
Bloods [1696973]Reply | Quote | Report

Posted on Fri Jun 07, 2013 13:27:08
Detailed information of the attacks here ---> https://www.torn.com/forums.php?forumID=2&ID=15444593

2j48yo1.jpg
Super secret reinforced spam barrier 2.0
BeckyWin

ID: 1640105
Level: 19
Posts: 118
Score: 33
SSsBeckyWin [1640105]Reply | Quote | Report

Posted on Sat Jun 08, 2013 01:56:35
By TheDarkLegacy [1712562]
It's obvious. They now have your soul.




Forum Main>>General Discussion>> Security breach - more detail please
First  << 1  2  3 >>  Last