hello

if someone gains access to the vbulletin database, is it possible for the hacker to know the users pass? i mean they are in hash format could they retrieve the passwords from the hash? how long would it take to perform this task, if possible

It would take ages to perform for each individual password

It would take ages to perform for each individual password

for ages you mean days, weeks, months?
even with the salt thing i think vbulletin has in the passwords?

md5 salted... to bruteforce would take years I think

for ages you mean days, weeks, months?
even with the salt thing i think vbulletin has in the passwords?

By ages I mean, a lot longer than it'd ever be worth

There are no known rainbow table attacks for this type of hash. The only method would be to brute force, and that would take years. After brute forcing the hash, you would need to brute force the actual password's hash, which would take less time, but still time (although this time, rainbow tables are possible).

thanks for your answers

md5 salted... to bruteforce would take years I think

Actually with salt and the latest dictionaries, it is done in about 20 seconds.. if the perp knows what the salt is.

It would take ages to perform for each individual password

Actually Admins are the targets, what good would it do to hack a mod or member?

You want a secure password? use 4 to 5 words with spaces and a couple symbols. That is impossible to decode for even the best hackers. I use 1024 bit encryption in my passwords.. even the feds can't decode that, lol

How about we go all out and use Whirlpool (http://en.wikipedia.org/wiki/Whirlpool_(cryptography))? :)

Actually with salt and the latest dictionaries, it is done in about 20 seconds.. if the perp knows what the salt is.



Actually Admins are the targets, what good would it do to hack a mod or member?

You want a secure password? use 4 to 5 words with spaces and a couple symbols. That is impossible to decode for even the best hackers. I use 1024 bit encryption in my passwords.. even the feds can't decode that, lol

i've a guy claiming it accessed the database and got one mod pass and logged in with it.
he has made a screenshot of mods and admin area to prove he was there.
the mod pass was 10 chars long and it was portuguese, its still easy to be discovered?

If he got access to the database, he could just create a new account with Admin access if he wanted. Or he could temporarily change the password of your moderator.

You have more problems to worry about than a moderator's account.

i've a guy claiming it accessed the database and got one mod pass and logged in with it.
he has made a screenshot of mods and admin area to prove he was there.
the mod pass was 10 chars long and it was portuguese, its still easy to be discovered?
Create a test account and provide your firend with the hash. Ask him to provide the real password. ;)

Cracking hashes is pretty easy if you know what are you doing...

see this for examples...
https://vborg.vbsupport.ru/showthread.php?t=199526

Err, you are ALL wrong!
Cracking vBulletin hash's and salts is extremely easy. All you need to know, is the hash format, which is: MD5(MD5(password).salt)

People load a dictionary, set it to dictionary mode, load the user: password:email list, and within seconds, all the easy passwords are cracked.
Leave it an hour or so and the more difficult passwords are cracked. If the rest aren't cracked by the end, changes are they're using an extremely hard password.

Make sure you use a combination of lowercase, higher case, numbers, letters, and special characters when you generating a password:

Example: ()Q@[]4[[!*^Yejfbn f(@344{P}{(*&@
- Virtually impossible to brute & dictionary attack.


Cheers

That is assuming the attacker knows the salt.

The salt hash is IN the database marked under "salt".
If they have the database, they have the salt, email, and basically every single bit of info displayed on the website.

Cheers,

The salt hash is IN the database marked under "salt".
If they have the database, they have the salt, email, and basically every single bit of info displayed on the website.


Cheers,
Exactly!!