|
|
12 Jun 2006, 15:04
|
#151
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Dace
Yeah, congrats on that Jonny.
|
Thanks. It was a lot of effort but I surprised myself by coming through with it in the end.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 15:05
|
#152
|
so f*cking zen
Join Date: Jan 2003
Location: Hitting Bottom
Posts: 8,499
|
Re: Account on Planetarion Forums locked out
Like Dante i don't really care. The hack only got a raised eyebrow response from me. The general response of those in authority, however, kinda amused me by it's apparant incompetence, it's resemblence to what the current government does (it's not our fault we're not gonna tell you exactly what happened and we'll be damned if we say sorry). Again *shrug*
__________________
On a long enough timeline, the survival rate for everyone drops to zero.
|
|
|
12 Jun 2006, 15:06
|
#153
|
so f*cking zen
Join Date: Jan 2003
Location: Hitting Bottom
Posts: 8,499
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JonnyBGood
Yeah. Because that's the model of organisation we should be trying to emulate. Modern western government :rolleyes:
|
(i only saw this after i'd written my last post)
__________________
On a long enough timeline, the survival rate for everyone drops to zero.
|
|
|
12 Jun 2006, 15:08
|
#154
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Dace
Like Dante i don't really care. The hack only got a raised eyebrow response from me. The general response of those in authority, however, kinda amused me by it's apparant incompetence, it's resemblence to what the current government does (it's not our fault we're not gonna tell you exactly what happened and we'll be damned if we say sorry). Again *shrug*
|
Firstly, it's not my place to apologise. If JJ would like to do so that's up to him. Secondly, AS I HAVE ****ING EXPLAINED, the reason it hasn't been fully explained is because we don't want anyone following up along the same route until we know for certain that it isn't there.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 15:09
|
#155
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Re: Account on Planetarion Forums locked out
People need to realise that some people on the mod team are under NDA from Jolt. Because of this, no-one on the mod team wants to risk breaching the terms of those NDAs, which in turn means waiting for Jolt's say-so before we can give specifics.
You can take the lack of apology any way you like, but a lot of it has to do with our hands being tied. If we're ever allowed to disclose what happened then maybe you'll agree. On the other hand, maybe you won't. It's not really my problem.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
12 Jun 2006, 15:12
|
#156
|
Insanity Prawn Boy!
Join Date: Dec 2001
Location: In a bush where you can't find me
Posts: 2,474
|
Re: Account on Planetarion Forums locked out
Ah, I get it now. Once again it all boils down to the mighty evil Jolt preventing the mods from actually doing they're job. Jolt really are cocks at times
__________________
They shall not grow old, as we who are left grow old:
Age shall not weary them, nor the years condemn.
At the going down of the sun and in the morning
We shall remember them.
|
|
|
12 Jun 2006, 15:14
|
#157
|
so f*cking zen
Join Date: Jan 2003
Location: Hitting Bottom
Posts: 8,499
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by meglamaniac
People need to realise that some people on the mod team are under NDA from Jolt. Because of this, no-one on the mod team wants to risk breaching the terms of those NDAs because we've been warned that if we do we'll die the most horrific death possible (Jolt promised).
|
Fair enough but still :rolleyes:
Quote:
Originally Posted by meglamaniac
You can take the lack of apology any way you like, but a lot of it has to do with our hands being tied. If we're ever allowed to disclose what happened then maybe you'll agree. On the other hand, maybe you won't. It's not really my problem.
|
How is "we're sorry that a security breach resulted in every one of your accounts being compromised" disclosing what happened?
__________________
On a long enough timeline, the survival rate for everyone drops to zero.
|
|
|
12 Jun 2006, 15:15
|
#158
|
Godfather
Join Date: May 2000
Location: England
Posts: 5,185
|
Re: Account on Planetarion Forums locked out
The exploit was not our fault. We did not cause it. We had no way of defending against it.
The reason i cant go into detail is because im bound by an NDA i signed yonks ago and therefore until I get word back from Biffy or Keith im not in a position to explain precisely what went on and what weve done it about it. The situation is tricky at best.
Ive done what i felt was necessary in somuch as posted an announcement informing you all to change your passwords. Its inconvenience that has not been caused by us however. I apologise for the fact i cant be forthcoming with 'this is precisely how it was done and this is precisely what we have done about it.
Admittedly it does sound very suspect the whole 'it wasnt us' but all i can do is ask you to trust us. The reason the breach occured was through no fault of any of the mods or the admin team.
__________________
Forum Administrator
Mail : [email protected] // IRC : #forums
__________________
It's not personal, it's just business.
|
|
|
12 Jun 2006, 15:19
|
#159
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Dace
How is "we're sorry that a security breach resulted in every one of your accounts being compromised" disclosing what happened?
|
Christ if that's all you wanted.
"We're all extraordinarily, entirely, despairingly, completely, wholly, fully, terribly sorry that a most unfortunate, unforeseen, unexpected, unimaginably horrifying security breach resulted in every one of your important, precious, vital, accounts, without which life would not be worth living were compromised in a such a violation of dastardly proportions that I have phoned the Sun who have promised to send out their top sensationalists who are taking valuable time out from getting rid of the immigrants for this most desperate of situations."
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 15:21
|
#160
|
Clerk
Join Date: Jun 2001
Posts: 13,940
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JBG
Yeah. Because that's the model of organisation we should be trying to emulate. Modern western government
|
I would imagine it applies to most organisational types. Any decent business will apologise for things that former employees did for instance.
If you're an institution / organisation there's some sort of idea of continuity - people who were banned by former mods are generally still banned and that sort of thing. I posted Nod's quote with tongue firmly in cheek but what he says is fairly accurate.
As for the NDA, I doubt anyone was expecting a ten step HOWTO on how to exactly duplicate the hack. However, you can give general comments. For instance the announcement doesn't let people know whether passwords were leaked, or hashed data. The implications of one or the other are radically different. What if I use my PA Forums password on another site? Should I change it there too? Can MD5-hased data realistically be brute forced if that's what's leaked?
|
|
|
12 Jun 2006, 15:22
|
#161
|
so f*cking zen
Join Date: Jan 2003
Location: Hitting Bottom
Posts: 8,499
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JonnyBGood
Christ if that's all you wanted.
"We're all extraordinarily, entirely, despairingly, completely, wholly, fully, terribly sorry that a most unfortunate, unforeseen, unexpected, unimaginably horrifying security breach resulted in every one of your important, precious, vital, accounts, without which life would not be worth living were compromised in a such a violation of dastardly proportions that I have phoned the Sun who have promised to send out their top sensationalists who are taking valuable time out from getting rid of the immigrants for this most desperate of situations."
|
I don't think you really mean you're sorry though.
__________________
On a long enough timeline, the survival rate for everyone drops to zero.
|
|
|
12 Jun 2006, 15:24
|
#162
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Dante Hicks
I would imagine it applies to most organisational types. Any decent business will apologise for things that former employees did for instance.
|
Apology posted above. I had not realised nobody had apologised on the forums however I have apologised to everyone who approached me on irc concerning this.
Quote:
If you're an institution / organisation there's some sort of idea of continuity - people who were banned by former mods are generally still banned and that sort of thing. I posted Nod's quote with tongue firmly in cheek but what he says is fairly accurate.
|
Decisions are reviewed at the time and in all cases of banning for the past four years or whatever the final decision has been JJ's.
Quote:
As for the NDA, I doubt anyone was expecting a ten step HOWTO on how to exactly duplicate the hack. However, you can give general comments. For instance the announcement doesn't let people know whether passwords were leaked, or hashed data. The implications of one or the other are radically different. What if I use my PA Forums password on another site? Should I change it there too? Can MD5-hased data realistically be brute forced if that's what's leaked?
|
:crymeariver: :crymeariver: :crymeariver: :crymeariver:
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 15:25
|
#163
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Dace
I don't think you really mean you're sorry though.
|
Somehow I doubt the british government is either.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 15:26
|
#164
|
so f*cking zen
Join Date: Jan 2003
Location: Hitting Bottom
Posts: 8,499
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JonnyBGood
Somehow I doubt the british government is either.
|
But at least they don't say "sorry" in an obviously sarcastic matter.
__________________
On a long enough timeline, the survival rate for everyone drops to zero.
|
|
|
12 Jun 2006, 15:27
|
#165
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Dace
But at least they don't say "sorry" in an obviously sarcastic matter.
|
I see.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 15:28
|
#166
|
Godfather
Join Date: May 2000
Location: England
Posts: 5,185
|
Re: Account on Planetarion Forums locked out
Ive posted an apology.
and they say people power doesnt work. :s
__________________
Forum Administrator
Mail : [email protected] // IRC : #forums
__________________
It's not personal, it's just business.
|
|
|
12 Jun 2006, 15:29
|
#167
|
Bored
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
|
Re: Account on Planetarion Forums locked out
so should I change my password guys?
|
|
|
12 Jun 2006, 15:30
|
#168
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Re: Account on Planetarion Forums locked out
Your misspelling of 'halt' is an affront to everything I stand for and I expect a further and immediate apology
|
|
|
12 Jun 2006, 15:31
|
#169
|
:alpha:
Join Date: May 2002
Location: London, UK
Posts: 7,871
|
Re: Account on Planetarion Forums locked out
haha you all suck and idi rocks!!!!!!!!!
__________________
"There is no I in team, but there are two in anal fisting"
|
|
|
12 Jun 2006, 15:31
|
#170
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
I support pab's demand and would like to offer my resignation if requisite apology is not immediately forthcoming.
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 15:44
|
#171
|
This is bat country
Join Date: Nov 2003
Location: Norway
Posts: 1,693
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Game^
I remember when you hacked my account (
|
I thought he just guessed your password.. Game/game wasnt it?
__________________
Burárum!
|
|
|
12 Jun 2006, 15:44
|
#172
|
Registered User
Join Date: Feb 2006
Posts: 1,094
|
Re: Account on Planetarion Forums locked out
so what we're talking about ****ing dead air hostesses now? (skipread previous page), anyway in the anarchic though apparently not malevolent spirit of what happened i demand that idi be unbanned and be given three hurrahs for being cleverer and knowing more about the forums than the people who run the forums.
|
|
|
12 Jun 2006, 15:45
|
#173
|
Made of Twigs
Join Date: Jun 2003
Posts: 5,459
|
Re: Account on Planetarion Forums locked out
This signing of an NDA, was it actually signed? As in, did you get something sent to your house? If so, the fact you have to do that to run an internet forum where no money changes hands is, quite frankly, hilarious.
__________________
If I hadn't seen such riches, I could live with being poor - James
It's hard to be humble when you're as great as I am - Muhammad Ali
So **** y'all, all of y'all; if y'all don't like me, blow me! - Dr. Dre
|
|
|
12 Jun 2006, 15:47
|
#174
|
Registered User
Join Date: Feb 2006
Posts: 1,094
|
Re: Account on Planetarion Forums locked out
if he broke the NDA what could they actually do about it?
|
|
|
12 Jun 2006, 15:49
|
#175
|
This is bat country
Join Date: Nov 2003
Location: Norway
Posts: 1,693
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by milo
if he broke the NDA what could they actually do about it?
|
Rape and pillage Ipswich
__________________
Burárum!
|
|
|
12 Jun 2006, 15:50
|
#176
|
so f*cking zen
Join Date: Jan 2003
Location: Hitting Bottom
Posts: 8,499
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by milo
if he broke the NDA what could they actually do about it?
|
A more apt question would be "What COULDN'T they do?"
__________________
On a long enough timeline, the survival rate for everyone drops to zero.
|
|
|
12 Jun 2006, 15:57
|
#177
|
Banned
Join Date: May 2001
Location: Further to the right
Posts: 19,441
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by milo
if he broke the NDA what could they actually do about it?
|
Fire him and install sunday8pm as admin.
Doctor Pepper.
What's the worst that could happen!
__________________
Some might ask what good is life without purpose but I'm anticipating a good lunch.
|
|
|
12 Jun 2006, 16:01
|
#178
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JonnyBGood
Fire him and install sunday8pm as admin.
Doctor Pepper.
What's the worst that could happen!
|
It's looking like I've to expect your resignation on my desk first thing in the morning, BGood, my demands have no been met.
I am thus forced to engage in an asymmetric act of war against JJ. It might involve a hunger strike, it might involve rubbing one out to Pat Butcher, I'm crazy and I could do anything
|
|
|
12 Jun 2006, 16:02
|
#179
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: Account on Planetarion Forums locked out
from what i remember of the NDA jolt give to all pateam to sign, i cant see anything which would prevent saying how in vague terms peoples accounts were compromised.
as for what jolt could do if he broke it, at worst they could take legal action for compensation if as a result of the breach jolt suffered significant financial losses however it is extremely unlikely that they would, or that it would even cause them loss if Jammyjim spilled absolutely everything he knows about jolt, pa, the forums, etc.
for jolt, the nda is simply a safety net - not a club used to beat people into submission over
|
|
|
12 Jun 2006, 16:04
|
#180
|
Aardvark is a funny word
Join Date: Sep 2002
Location: I'm No Nino Rota
Posts: 5,923
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by pablissimo
rubbing one out to Pat Butcher
|
:crymeariver::crymeariver::crymeariver::crymeariver::crymeariver::crymeariver::crymeariver:
__________________
Efficiency, efficiency they say
Get to know the date and tell the time of day
As the crowds begin complaining
How the Beaujolais is raining
Down on darkened meetings on the Champs Élysées
|
|
|
12 Jun 2006, 16:05
|
#181
|
Bored
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Phil^
for jolt, the nda is simply a safety net - not a club used to beat people into submission over
|
That's what they want you to think
|
|
|
12 Jun 2006, 16:07
|
#182
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Ste
That's what they want you to think
|
they have other things to beat people into submission with :crymeariver:
|
|
|
12 Jun 2006, 16:22
|
#183
|
Bored
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Phil^
they have other things to beat people into submission with :crymeariver:
|
They get Furball to dance the Hokey Cokey until you crack???
That's harsh man.
|
|
|
12 Jun 2006, 16:24
|
#184
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Re: Account on Planetarion Forums locked out
The trouble is, if we say anything more than has already been said, it starts looking fairly bad for Jolt. If it was a case of us screwing everything up then I'm pretty sure they'd be more than happy for us to talk about it (in fact they'd probably demand it) but as it's pretty much the opposite we're being cautious.
And Pab, you spelt "not" wrong. I hereby demand an apology in the form of a skywriter plane telling me how sorry you are.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
12 Jun 2006, 16:28
|
#185
|
Godfather
Join Date: May 2000
Location: England
Posts: 5,185
|
Re: Account on Planetarion Forums locked out
According to the small print on the NDA Jolt could seize my computer and anything ive ever touched whilst looking at the pa forums*
*that includes my penis. Thats why im so scared
__________________
Forum Administrator
Mail : [email protected] // IRC : #forums
__________________
It's not personal, it's just business.
|
|
|
12 Jun 2006, 16:37
|
#186
|
Insomniac
Join Date: May 2003
Posts: 3,583
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by JammyJim
According to the small print on the NDA Jolt could seize my computer and anything ive ever touched whilst looking at the pa forums*
*that includes my penis. Thats why im so scared
|
i dont remember that section on it O_o
Just as well it expires six months after notifying them that you've quit.
in the clear here \o/
i can , quite freely say whatever i want about jolt even if it embarasses them to do so. so fear not jj. six months after leaving should you ever decide to you can feel perfectly free to do whatever you want with your penis and not worry jolt will come in the night to take it
|
|
|
12 Jun 2006, 16:57
|
#187
|
so f*cking zen
Join Date: Jan 2003
Location: Hitting Bottom
Posts: 8,499
|
Re: Account on Planetarion Forums locked out
I thought Yahwe said that from a legal viewpoint the NDA wasn't worth the paper it was written on.
__________________
On a long enough timeline, the survival rate for everyone drops to zero.
|
|
|
12 Jun 2006, 17:02
|
#188
|
Hamster
Join Date: Apr 2000
Location: Crewe, England
Posts: 3,606
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by Dante Hicks
As for the NDA, I doubt anyone was expecting a ten step HOWTO on how to exactly duplicate the hack. However, you can give general comments. For instance the announcement doesn't let people know whether passwords were leaked, or hashed data. The implications of one or the other are radically different. What if I use my PA Forums password on another site? Should I change it there too? Can MD5-hased data realistically be brute forced if that's what's leaked?
|
md5 is pretty much immune to brute force hacking, especially if the forum software 'salts' the hash. However as a precaution I would maybe consider changing your passwords. If the hash hasnt been 'salted' then there are hash DB's out there to help decode md5 hashes and with encryption never being totally secure its more a matter of when an form of encyrption is cracked rather than if it will be.
__________________
Wakey
PD and Suggestions Moderator
Co-founder of [F-Crew]
The Farnborough Crew
Cos anything else is just an alliance
Join our public channel at #f-crew
|
|
|
12 Jun 2006, 17:17
|
#189
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by meglamaniac
And Pab, you spelt "not" wrong. I hereby demand an apology in the form of a skywriter plane telling me how sorry you are.
|
Subject to the resolution of the 'hault' issue, thy will be done
|
|
|
12 Jun 2006, 17:18
|
#190
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Re: Account on Planetarion Forums locked out
MD5 is no less vulnerable to brute force than any other system, as brute force completely bypasses the encryption system and goes for the vulnerability of the chosen password instead.
It's equally easy to brute force the password "123456" if it's stored in cleartext or as an MD5 hash.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
12 Jun 2006, 17:22
|
#191
|
☆ ♥
Join Date: Jan 2003
Posts: 3,489
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by wakey
md5 is pretty much immune to brute force hacking, especially if the forum software 'salts' the hash. However as a precaution I would maybe consider changing your passwords. If the hash hasnt been 'salted' then there are hash DB's out there to help decode md5 hashes and with encryption never being totally secure its more a matter of when an form of encyrption is cracked rather than if it will be.
|
I've already discussed salted hashes :|
__________________
R3: LegioN (came #32) || R4: BlueTuba
R5: WolfPack Order || R6: Wolfpack
R7: Fury
----------retired-------
R52-R55: Apprime
R56-R57: FaceLess
R58-60: Apprime/Ultores
|
|
|
12 Jun 2006, 17:26
|
#192
|
Hamster
Join Date: Apr 2000
Location: Crewe, England
Posts: 3,606
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by meglamaniac
MD5 is no less vulnerable to brute force than any other system, as brute force completely bypasses the encryption system and goes for the vulnerability of the chosen password instead.
It's equally easy to brute force the password "123456" if it's stored in cleartext or as an MD5 hash.
|
He wasnt asking if the password could be obtained via Brute Force, but if the MD5 hash could be reversed via Brute Force
__________________
Wakey
PD and Suggestions Moderator
Co-founder of [F-Crew]
The Farnborough Crew
Cos anything else is just an alliance
Join our public channel at #f-crew
|
|
|
12 Jun 2006, 17:28
|
#193
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Re: Account on Planetarion Forums locked out
The two concepts are one and the same. It's not possible to reverse MD5, hence the need to brute force it in the first place, hence brute force of password == brute force of MD5 password hash.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
12 Jun 2006, 17:32
|
#194
|
Hamster
Join Date: Apr 2000
Location: Crewe, England
Posts: 3,606
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by meglamaniac
The two concepts are one and the same.
|
Hardly as ones trying to simply guess a password, the others taking a hash and trying to reverse the encyption so you can read it.
__________________
Wakey
PD and Suggestions Moderator
Co-founder of [F-Crew]
The Farnborough Crew
Cos anything else is just an alliance
Join our public channel at #f-crew
|
|
|
12 Jun 2006, 17:38
|
#195
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Re: Account on Planetarion Forums locked out
Hashing isn't encryption. You don't brute-force a hash like you might try with actual encryption since there is no key involved, you either throw (by brute force) a dictionary at an MD5 algorithm and compare the output to the known hash of the account, or you throw the known hash against gigs upon gigs of rainbow tables (which accomplishes the same thing). Hashes are entirely one-way, there are an infinite number of plaintexts that would map to a single hash, thus you can't ever deterministically derive the plaintext from the ciphertext. You can however brute the thing to generate some password (which in all probability will be the same one) that happens to hash to the right thing. In effect they really are the same in this context assuming you have access to the hash (so can do all of this off-line).
|
|
|
12 Jun 2006, 17:41
|
#196
|
Bored
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by meglamaniac
It's equally easy to brute force the password "123456" if it's stored in cleartext or as an MD5 hash.
|
Ok, I changed my password to 123456. is that ok?
|
|
|
12 Jun 2006, 17:43
|
#197
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Re: Account on Planetarion Forums locked out
Let me try one more time.
It is not possible in any way shape or form to run MD5 backwards. There is no inverse of the MD5 algorithm. If there was, using it in the first place would be pointless as you could put the MD5 hash in to the inverse algorithm and out would pop the password.
So, you have two databases with a login name "mike", which you know, and a password "123456" which you don't know. DB1 stores the password unencrypted. DB2 stores the password as an MD5 hash. Your only access to each database is through the login page. Lets assume that both databases process login requests in the same period of time. You concurrently brute force both login pages.
...
DB1 > U: Mike P: 123454 - fail
DB2 > U: Mike P: 123454 - fail
DB1 > U: Mike P: 123455 - fail
DB2 > U: Mike P: 123455 - fail
DB1 > U: Mike P: 123456 - granted
DB2 > U: Mike P: 123456 - granted
Now that you know the password is "123456", you also know the hash is "e10adc3949ba59abbe56e057f20f883e". That is the only way you can reverse engineer the original input for a specified MD5 hash, ignoring collision vulnerabilities which I'm not going to start talking about now.
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
12 Jun 2006, 17:43
|
#198
|
Born Sinful
Join Date: Nov 2000
Location: Loughborough, UK
Posts: 4,059
|
Re: Account on Planetarion Forums locked out
Yes ste, you're now secure
__________________
Worth dying for. Worth killing for. Worth going to hell for. Amen.
|
|
|
12 Jun 2006, 17:45
|
#199
|
Bored
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
|
Re: Account on Planetarion Forums locked out
Quote:
Originally Posted by meglamaniac
Yes ste, you're now secure
|
hoorah!
|
|
|
12 Jun 2006, 17:47
|
#200
|
Henry Kelly
Join Date: Apr 2000
Posts: 7,374
|
Re: Account on Planetarion Forums locked out
I was assuming we were talking about bruting against a known hash to get the password, which with a suitably large collection of rainbow tables and cryptographically weak passwords is far from difficult, though time-consuming. I didn't realise you were talking of bruting the login page.
|
|
|
|
All times are GMT +1. The time now is 13:10.
| |