Register - Login
Views: 99824824
 Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies 		05-03-22 07:50:16 PM
Jul - NO! GO TO STAR! - Security notice for selected users New poll - New thread - Thread closed
Pages: 1 2 3 4 5 6Next newer thread | Next older thread
Sanqui
2060
💛🤍💜🖤🦉
Level: 87


Posts: 237/2066
EXP: 6311634
For next: 81140

Since: 12-20-09

Pronouns: any ✨
From: Czechia | Estonia

Since last post: 15 days
Last activity: 1 day
Posted on 04-30-10 08:12:32 PM Link
   
Originally posted by Treeki
Originally posted by Sanky
He couldn't have got the passwords themselves, right? I mean, they are probably salted/hashed..
Still. What a peristant guy.

Hence the whole "change your passwords if they're insecure" - there are sites with huge searchable MD5 hash databases.

Yeah, that wouldn't help at all if the passwords are salted, though.

____________________
 		   
   
Danika
6230
Level: 141


Posts: 2842/6235
EXP: 33300057
For next: 819957

Since: 10-23-09


Since last post: 1.2 years
Last activity: 1.2 years
Posted on 04-30-10 08:14:01 PM Link
OK, password changed... even though my previous password was decent anyway (10 characters with upper/lowercase, numbers, and symbols)... =/

____________________
YouTubeDeviantArt
Windows 98 forever!
Taryn

Passed away.

Thanks for being a part of us, even if it wasn't always on the best of terms.

1987-2014


Level: 204


Posts: 6944/14742
EXP: 121752869
For next: 1596949

Since: 09-01-09

From: Seattle

Since last post: 10.1 years
Last activity: 9.8 years
Posted on 04-30-10 08:15:10 PM Link
Password changed.

I suck at remembering passwords, so I wrote this one down on a piece of paper

____________________
TKB Super Mario Bros.
dirbaio
For future reference, "Responsible disclosure" isn't "acting like a douche about an exploit and demanding compensation".
Level: NaN


Posts: 582/-1288
EXP: NaN
For next: 0

Since: 07-28-09

From: Spain

Since last post: 10.8 years
Last activity: 9.9 years
Posted on 04-30-10 08:16:15 PM Link
what kind of hash does Jul use?
MD5 is known to be insecure, so i hope jul doesnt use it...

Maybe i should consider changing my jul psw to sth different, because i'm using the same one for jul, gmail, msn, etc...

Xkeeper

Level: 263


Posts: 15847/25353
EXP: 297155639
For next: 1804814

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 12 hours
Posted on 04-30-10 08:20:45 PM Link
MD5 isn't insecure, it's just that there are rainbow tables out there for the easier hashes (e.g. all-letters from 1 to 8 characters, all numbers from lengths 1-10, etc.)

____________________
Taryn

Passed away.

Thanks for being a part of us, even if it wasn't always on the best of terms.

1987-2014


Level: 204


Posts: 6946/14742
EXP: 121752869
For next: 1596949

Since: 09-01-09

From: Seattle

Since last post: 10.1 years
Last activity: 9.8 years
Posted on 04-30-10 08:23:15 PM Link
Anyone else think it's funny that he stole Deleted User's password hash?

My old Jul pass was actually fairly secure, but I wanted to be on the safe side. I don't use my old or new Jul passwords anywhere other than Jul.

____________________
TKB Super Mario Bros.
Conte de Contis
Member
Level: 36


Posts: 182/271
EXP: 299799
For next: 8311

Since: 12-21-09

From: Italy

Since last post: 11.8 years
Last activity: 11.8 years
Posted on 04-30-10 08:23:28 PM Link
Excuse me, but who is MegaMario. I just understand he's another lamer or hacker, but is something happened in the past?

____________________
I have seen Benedict XVI at Rome today
Xkeeper

Level: 263


Posts: 15848/25353
EXP: 297155639
For next: 1804814

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 12 hours
Posted on 04-30-10 08:24:29 PM Link
My password here is 15 characters long.


My FTP password is only 6! just kidding

____________________
Hiryuu

Level: 207


Posts: 13046/14435
EXP: 127628321
For next: 2155833

Since: 07-06-07


Since last post: 11.8 years
Last activity: 11.7 years
Posted on 04-30-10 08:25:32 PM Link
Originally posted by Conte de Contis
Excuse me, but who is MegaMario. I just understand he's another lamer or hacker, but is something happened in the past?


This is proof that you need to update your FAQ, X.

He is a lamer and a hacker but was banned for doing dumb stuff in regards to it. He's re-regged dozens of times since, mostly with malicious intent over that butthurt I mentioned earlier.
Xkeeper

Level: 263


Posts: 15849/25353
EXP: 297155639
For next: 1804814

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 12 hours
Posted on 04-30-10 08:26:00 PM Link
For a while (around to the point my internet died) I had a link to the Mega Moron Archives.

____________________
Taryn

Passed away.

Thanks for being a part of us, even if it wasn't always on the best of terms.

1987-2014


Level: 204


Posts: 6947/14742
EXP: 121752869
For next: 1596949

Since: 09-01-09

From: Seattle

Since last post: 10.1 years
Last activity: 9.8 years
Posted on 04-30-10 08:26:33 PM (last edited by Terra at 04-30-10 05:26 PM) Link
Originally posted by Conte de Contis
Excuse me, but who is MegaMario. I just understand he's another lamer or hacker, but is something happened in the past?


It was here, although it seems to be down right now. It was followed by this, which loads fine.

____________________
TKB Super Mario Bros.
Ninji

Birdo
Why did my user title say I'm a toaster anyway
Level: 88


Posts: 1637/2014
EXP: 6638902
For next: 11762

Since: 07-26-07

Pronouns: he/him or they/them
From: Glasgow, Scotland

Since last post: 114 days
Last activity: 6 days
Posted on 04-30-10 08:26:40 PM Link
Originally posted by dirbaio
what kind of hash does Jul use?
MD5 is known to be insecure, so i hope jul doesnt use it...

Maybe i should consider changing my jul psw to sth different, because i'm using the same one for jul, gmail, msn, etc...


If your password is secure, it should be safe

MD5 isn't as good as other hashing methods, but it's still secure. It can be bruteforced, but any non-trivial password would take way too long to bruteforce unless you have a supercomputer.


I've seen sites which store passwords in plaintext.

____________________
[20:07:36] @Treeki: ikachan say something funny I can put in my signature
[20:07:41] @Ikachan: And it was funny in the can with a syringe.		Hacking Tools: NSMB Editor 5 · Nitro / NARC Explorer
Current Project: Reggie! - NSMBWii Level Editor
Taryn

Passed away.

Thanks for being a part of us, even if it wasn't always on the best of terms.

1987-2014


Level: 204


Posts: 6948/14742
EXP: 121752869
For next: 1596949

Since: 09-01-09

From: Seattle

Since last post: 10.1 years
Last activity: 9.8 years
Posted on 04-30-10 08:27:46 PM Link
Originally posted by Treeki
I've seen sites which store passwords in plaintext.


AcmlmBoards did this until I1 got hacked in 2002.

For my own board system (only used for a school project now), I used SHA1 with a salt.

____________________
TKB Super Mario Bros.
Ninji

Birdo
Why did my user title say I'm a toaster anyway
Level: 88


Posts: 1638/2014
EXP: 6638902
For next: 11762

Since: 07-26-07

Pronouns: he/him or they/them
From: Glasgow, Scotland

Since last post: 114 days
Last activity: 6 days
Posted on 04-30-10 08:35:05 PM Link
Originally posted by Terra
Originally posted by Treeki
I've seen sites which store passwords in plaintext.


AcmlmBoards did this until I1 got hacked in 2002.

For my own board system (only used for a school project now), I used SHA1 with a salt.

Neopets is the site I was talking about

____________________
[20:07:36] @Treeki: ikachan say something funny I can put in my signature
[20:07:41] @Ikachan: And it was funny in the can with a syringe.		Hacking Tools: NSMB Editor 5 · Nitro / NARC Explorer
Current Project: Reggie! - NSMBWii Level Editor
Xkeeper

Level: 263


Posts: 15852/25353
EXP: 297155639
For next: 1804814

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 12 hours
Posted on 04-30-10 08:36:59 PM Link
I would actually update the board to use salted MD5 hashes (did you know that the voting in polls uses your password as a token? now you know) but the big problem is that updating old user's passwords would be mind-bogglingly difficult if I didn't do store = md5(md5(pw) + salt).


(p.s., yes, the hashes in polls/etc are salted with a fairly long string)

____________________
Ninji

Birdo
Why did my user title say I'm a toaster anyway
Level: 88


Posts: 1639/2014
EXP: 6638902
For next: 11762

Since: 07-26-07

Pronouns: he/him or they/them
From: Glasgow, Scotland

Since last post: 114 days
Last activity: 6 days
Posted on 04-30-10 08:40:40 PM Link
Originally posted by Xkeeper
I would actually update the board to use salted MD5 hashes (did you know that the voting in polls uses your password as a token? now you know) but the big problem is that updating old user's passwords would be mind-bogglingly difficult if I didn't do store = md5(md5(pw) + salt).


(p.s., yes, the hashes in polls/etc are salted with a fairly long string)

Why not keep a flag specifying whether the user has an old or a new hash?


When they log in, if they have an old hash, use their entered password to generate the new version. That'd at least make it far harder to compromise accounts which are currently in use, although it'd do nothing for inactive accounts.

____________________
[20:07:36] @Treeki: ikachan say something funny I can put in my signature
[20:07:41] @Ikachan: And it was funny in the can with a syringe.		Hacking Tools: NSMB Editor 5 · Nitro / NARC Explorer
Current Project: Reggie! - NSMBWii Level Editor
Xkeeper

Level: 263


Posts: 15853/25353
EXP: 297155639
For next: 1804814

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 12 hours
Posted on 04-30-10 08:42:01 PM Link
Simply because there's too much to update all over the place.

Today's Acmlmboard fun fact: Did you know your password is actually encoded, not encrypted, in your cookies? It is!

____________________
Post 1106/1311 (41 days), online 2 days ago
Posted on 04-30-10 08:45:07 PM (last edited by Milly at 04-30-10 05:49 PM) Link




#52
Originally posted by Treeki
Originally posted by Terra
Originally posted by Treeki
I've seen sites which store passwords in plaintext.
AcmlmBoards did this until I1 got hacked in 2002.
Nope, it's been MD5 ever since I switched the database to MySQL (and even before that, it was some weak reversible encryption) I used another reversible encryption for cookie passwords, as well ...

However, there were quite a few ways to get the database/cookie passwords, even in plain text (reading the login info from the reply page, with JavaScript)


(edited)
Ok, it actually was plain text at first But that changed to MD5 somewhere between 1.61 (April 2001) and 1.8 (March 2002), maybe in 1.65 or 1.7 ...

____________________
Xkeeper

Level: 263


Posts: 15855/25353
EXP: 297155639
For next: 1804814

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 12 hours
Posted on 04-30-10 08:46:45 PM Link
The problem with updating the newreply/newthread pages to not use a typed password for logged in users means that you can't really make use of alternate accounts.

Not a big deal, but just one of those things I'd be missing.

____________________
Gabu

Star Mario
Placeholder Ikachan until :effort: is found
Level: 172


Posts: 2883/9981
EXP: 67993299
For next: 108935

Since: 08-10-09

Pronouns: they/them, she/her
From: Santa Cruisin' USA

Since last post: 57 days
Last activity: 4 days
Posted on 04-30-10 08:50:30 PM Link
Jesus, he just doesn't know when to quit.

____________________
Pages: 1 2 3 4 5 6Next newer thread | Next older thread
Jul - NO! GO TO STAR! - Security notice for selected users New poll - New thread - Thread closed


Rusted Logic

Acmlmboard - commit 47be4dc [2021-08-23]
©2000-2022 Acmlm, Xkeeper, Kaito Sinclaire, et al.

31 database queries, 2 query cache hits.
Query execution time: 0.088386 seconds
Script execution time: 0.038435 seconds
Total render time: 0.126821 seconds