vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   database hacked > know users passwords (https://vborg.vbsupport.ru/showthread.php?t=199138)

el_capiton 12-17-2008 11:48 PM
database hacked > know users passwords
 
hello

if someone gains access to the vbulletin database, is it possible for the hacker to know the users pass? i mean they are in hash format could they retrieve the passwords from the hash? how long would it take to perform this task, if possible

SEOvB 12-17-2008 11:52 PM
It would take ages to perform for each individual password

el_capiton 12-17-2008 11:59 PM
Quote:
Originally Posted by FRDS (Post 1687697)
It would take ages to perform for each individual password
for ages you mean days, weeks, months?
even with the salt thing i think vbulletin has in the passwords?

phantom15 12-18-2008 12:04 AM
md5 salted... to bruteforce would take years I think

SEOvB 12-18-2008 12:30 AM
Quote:
Originally Posted by el_capiton (Post 1687708)
for ages you mean days, weeks, months?
even with the salt thing i think vbulletin has in the passwords?
By ages I mean, a lot longer than it'd ever be worth

Dismounted 12-18-2008 10:15 AM
There are no known rainbow table attacks for this type of hash. The only method would be to brute force, and that would take years. After brute forcing the hash, you would need to brute force the actual password's hash, which would take less time, but still time (although this time, rainbow tables are possible).

el_capiton 12-19-2008 12:57 AM
thanks for your answers

Medtech 12-19-2008 01:09 AM
Quote:
Originally Posted by phantom15 (Post 1687713)
md5 salted... to bruteforce would take years I think
Actually with salt and the latest dictionaries, it is done in about 20 seconds.. if the perp knows what the salt is.

Quote:
Originally Posted by FRDS (Post 1687697)
It would take ages to perform for each individual password
Actually Admins are the targets, what good would it do to hack a mod or member?

You want a secure password? use 4 to 5 words with spaces and a couple symbols. That is impossible to decode for even the best hackers. I use 1024 bit encryption in my passwords.. even the feds can't decode that, lol

Dismounted 12-19-2008 03:34 AM
How about we go all out and use Whirlpool? :)

el_capiton 12-21-2008 06:03 PM
Quote:
Originally Posted by Medtech (Post 1688377)
Actually with salt and the latest dictionaries, it is done in about 20 seconds.. if the perp knows what the salt is.



Actually Admins are the targets, what good would it do to hack a mod or member?

You want a secure password? use 4 to 5 words with spaces and a couple symbols. That is impossible to decode for even the best hackers. I use 1024 bit encryption in my passwords.. even the feds can't decode that, lol
i've a guy claiming it accessed the database and got one mod pass and logged in with it.
he has made a screenshot of mods and admin area to prove he was there.
the mod pass was 10 chars long and it was portuguese, its still easy to be discovered?

Dismounted 12-22-2008 04:47 AM
If he got access to the database, he could just create a new account with Admin access if he wanted. Or he could temporarily change the password of your moderator.

You have more problems to worry about than a moderator's account.

Marco van Herwaarden 12-22-2008 09:46 AM
Quote:
Originally Posted by el_capiton (Post 1690509)
i've a guy claiming it accessed the database and got one mod pass and logged in with it.
he has made a screenshot of mods and admin area to prove he was there.
the mod pass was 10 chars long and it was portuguese, its still easy to be discovered?
Create a test account and provide your firend with the hash. Ask him to provide the real password. ;)

x0r 12-22-2008 03:26 PM
Cracking hashes is pretty easy if you know what are you doing...

see this for examples...
https://vborg.vbsupport.ru/showthread.php?t=199526

RHWiRED 12-22-2008 11:42 PM
Err, you are ALL wrong!
Cracking vBulletin hash's and salts is extremely easy. All you need to know, is the hash format, which is: MD5(MD5(password).salt)

People load a dictionary, set it to dictionary mode, load the user: password:email list, and within seconds, all the easy passwords are cracked.
Leave it an hour or so and the more difficult passwords are cracked. If the rest aren't cracked by the end, changes are they're using an extremely hard password.

Make sure you use a combination of lowercase, higher case, numbers, letters, and special characters when you generating a password:

Example: ()Q@[]4[[!*^Yejfbn f(@344{P}{(*&@
- Virtually impossible to brute & dictionary attack.


Cheers

Dismounted 12-23-2008 02:26 AM
That is assuming the attacker knows the salt.

RHWiRED 12-23-2008 02:57 AM
The salt hash is IN the database marked under "salt".
If they have the database, they have the salt, email, and basically every single bit of info displayed on the website.

Cheers,

Medtech 12-26-2008 05:45 AM
Quote:
Originally Posted by RHWiRED (Post 1691689)
The salt hash is IN the database marked under "salt".
If they have the database, they have the salt, email, and basically every single bit of info displayed on the website.


Cheers,
Exactly!!


All times are GMT. The time now is 12:13 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01123 seconds
  • Memory Usage 1,752KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (17)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete