Password hacking paranoia?

Discussion in 'Gaming and Software' started by TheIronDuke, Sep 23, 2011.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. TheIronDuke

    TheIronDuke LE Book Reviewer

    Not really gaming (although I can discuss Care Bears games if you want) just random internet weirdness I hope somebody can cast light on.

    I had just left a password protected website and was about to Google something when I typed my password in by mistake. And got 6 hits, mostly to this website http://www.xdecrypt.com/

    M
    y password is caps, lower case and numbers and tests as 'strong'. When I put in a similar set of random letters and numbers into Google I do not get these Hash / Decryption sites coming up.

    Time to A) Change my password? B) Take off the tinfoil hat and step away from the keyboard? C) stop being paranoid?
     
  2. chances are someone else has the same password and it was in one of the many company websites hacked in the past where customer data was stolen and made public,

    so unless you were a member of one of those many many forums/gaming comunities/hotmail users then theres nothing ot be nessecarily worried about.

    if you were or are in the habit of using the same password/ email details on forums as for other accounts in teh internetz theres nothing ot get excited about.

    as an asside if you put upper/lower /numerci/special chars in your passwords then theres every chance your details are secure, even more so if you change htem regularly and use different email or passwords for shopping forum or gamie related websites.

    btw if you playonline games (wow/aion/aika/eve/rfo/etc etc) then chances are some bugger is activley trying ot access your accounts in order to steal pixels they can trade for real money (its a big part of the not so legal gaming world) if not then just make sure things like ebay/paypal/tesco/asda etc all have differnt passowrds and that your account recovery email is different to the main email you use.

    also if you use facecrap use few or no real details on your page, use a special email account and a seperate password, since you can get unlimited ammounts of free emails via google and forward them to a main account theres no excuses for poor cyber security practices.

    also regualrly perform av scans on your pc to make sure any nasties downloaded from websites are icked up or removed so you dont expose yourself too much (me i use one pc for banking /shopping etc and a differnt one for various other things like random internet searches just in case)

    also keep your os etc up to date with the latest verison of software from the vendors update system.
     
  3. TheIronDuke

    TheIronDuke LE Book Reviewer

    Thanks.

    I very much doubt someone has the same password unless they are a fan of a 13th century scriptor and had decided to change random characters to caps and numbers. The odds on that are astronomical and as I said, doing the same thing with another name? It doesn't pop up on these Hash sites.

    I only use this password for forums. At least one of which was a precursor to Anonymous and later the Lulzec Muppets.

    My question is simple. What the **** is this all about? http://www.xdecrypt.com/

    I
    n plain English please.

    *Edit* Taking your comments on board I just did a Google on the password. I changed one number in the sequence. Nothing.
     
  4. if you ever get into web or data base admin you will probably get to see people account details, all of those account details should normally be stored with the passwords encrypted so you can only acess hash key, that website is a bot net c&c which will manage to crack the hash and give back the real value thus allowing you to access the account of the individual concerned.

    that kind of thing is very usefull for criminals, if they for instance got into the psn payment records and psn had stored al lthe payment info as md5 hash's then all they would need ot do to access those credit cardds would be to decrypt the real info and start spending.

    you would be amazed at the obscure things a lot of people believe to be unique, randomised passwords are the most often used, not sure if the list is still maintained but it security profesionals used ot maintain a list of passwords used across 1 million windows users the comanality index was massive, every single password had been used at least 3 times and there was less than 95k passwords in use (it should be noted that all the data collected was done so by the users experss consent in opting into as opposed ot out of a data collection program)

    fyi hte md5 hash is an advanced cypher that would of taken before botnets came about more than 200 years for a single quad core pc to crack, the hash is itself a line of text (most military ones are random number/letter combo's most civy ones are based on a line or two from a book chosen by the hash table creator) normally speaking it would and then once the correct hash has been figured out the cracker requires ot unlock the files,

    fortunalty for the decrypter most php based forums the md5 is builtin by the template builder, so cloning a forum user database containing known variables using every possible character available from a keyboard will allow someone to work out the cypher key and then folow up wiht decryption on demand.

    sorry if i started rambvling there my meds are kickin in
     
  5. *ajdusts tin foil hat* have forwarded this on to a friend who specialises in the geeky (his bedtime reading is ridiculous all pc based non-fiction and he constructs viruses/hacking thingies for shits and giggles) and his reaction was:

    "dunno Poppet, let me get back to you - looks fookin dodgy mind..."
     
  6. He calls you Poppet. Fner. ;-)
     
  7. In english, it means you have nothing to worry about.

    Every website has a table that lists users and passwords, e.g.

    TheIronDuke abc123
    Tiny_Lewis r4nd0mW0rd!

    Passwords should never be stored as plaintext, instead they should be encrypted:

    TheIronDuke AHGR35BV6H789JHT564D3R5P897H5GF5
    Tiny_Lewis HB6786TFR4ED32FGV87HGBFR89864FD6

    The encryption process should obviously also "obfuscate" the password length. It also has to be capable of being decrypted -obviously - so you can log in, thus it needs a "key". When you login, the system takes your password, runs the encryption process over it using the key, and compares the result with the stored password.

    Obviously, the encryption method is 'well known', e.g. think BATCO - the method of encoding and decoding is "known", but to decode a message you need the key setting.

    Because it is 'known', it is in theory possible to test every combination of letters, characters, and numbers, with every possible key value, and store the results. It just takes a HUGE amount of computing time - in the case of some encryption schemes thousands or millions of years.

    This timescale can decrease as computers get more powerful, or as more than one computer is used. In the case of massive botnets (thousands or hundreds of thousands of home PCs infected with a small 'virus' client that stealthily connects the infected computer back to the rest of the 'bot net'), this can reduce the timescale down to far more manageable lengths.

    To attemp to crack this, some solutions break the work down into chunks - for example "all passwords 1 - 10 characters long", "all passwords 1 -10 numbers long", etc... and assign these chunks to sub-groups. As each computer works out an encrypted value for each password (in the example, starting at A and ending at ZZZZZZZZZZ), it sends the result back.

    The end result is a massive table of passwords and encrypted value pairs. So when one day someone wants to "crack" a password, they look at the encrypted value in this table, and if they find it look at the associated password.

    These are often refered to as "rainbow tables", and exist for various password encryption schemes, and wifi WPA/WPA2 encryption.

    In order to be of any use, the attacker needs to obtain the target userID and enrypted password database. In a further example, first of all I would have to hack arrse, as an admin, to get the password database, to then hopefully find that your password matches one that has already been computed. Then I can log on as you and, um, do not a lot really.

    Ok, its a lot more complicated than that, I have grossly simplified it, and THERE are risks on the net - but its not a lot to be worried about. For most forums I use the same userID and password - and have done so for 15 years without problem. On financial sites (ebay, paypal, bank, utility) I have a different username and password per site. The only trouble I have had is when a third party was hacked, who used the PayPal payment API, as opposed to PayPal itself.
     
  8. It's all to do with how your password is stored by whatever system you are using. Obviously storing a password as clear text is bad, so your password is converted to what's called a "hash". The hash is a fairly big number that, by using lots of very Tefal head maths, cannot be directly reversed back into a password. To break these hashes you basically create a password, hash it and compare the two. If they match, you have guessed the right password, if not, try again. The aforementioned Tefal heads have also designed into the hash algorithm the fact that it's almost impossible for 2 different passwords to generate the same hash. Sites like the one you link take in hashes and try to crack them by guessing passwords or by comparing your hash against ones it already knows the passwords for. The more hashes that it gets and solves, the more it knows about. If the hash matches one it already knows, then that password is recovered very quickly, regardless of how good a password is.
     
  9. I'll just leave this here:

    [​IMG]
     

  10. Feckin' geek. :p
     
  11. I'm going to change my password to correcthorsebatterystaple. It's brilliant and very probably foolproof. ;-)
     
    • Like Like x 1
  12. Which is all well and good until you run into systems that don't allow longer than 8 characters and ignore case. ;-)
     
  13. you wouldnt need ot hack the site if you were an admin just copy the useraccount aprt of the forum all php sites work the same way i know i've been admin and superadmin ofr abunch of them in the past, mostly becose the sight owners got lazy or didnt understand what htey were doing admitedly, but nevertherless just as simple as putting a watchdog on a suitable account ( hamering there ip address with a brute force attack and placing a dial home watcher on there pc triggered by them loggign in) that gives you the access credentials for a website, then you can login (once they go offline) and copy the bits your interested in, use your bot net (the largest botnet so far taken down had more than 35 million drones)

    but as for good tehcno security on a personal or business level, never give out priviledge levels above those required for the job, never allow single point accesss to entire sensitive data area's, and use lots of different things to help minimise your chances of "getting hacked"

    par example ; use lots of email accounts, link one to each forum or website account, use variations on passwords or wholey different passwords for each account, after creating and saving hte login details to your account(s) setup those email aaccounts to auto forward everythign to your primary account (for ease of monitoring)

    be very wary of social media like twitter or facebook, anything with the words opensource in the product detail should be avoided,

    if its got an i in the name or an apple/ penguin dont go near it with a barge pole.

    use defence grade security products (firewall/av/adblocker/noscript etc) to keep you safer online,

    peridoically login to all your finacial stuff and check the history to make sure its stuff you recognise, but do so wiht a clean browser not a new tab or withother windows open (there is a thing caled bleedover which all browser suffer from and a script fro mone website can monitor your keystrokes in another window or tab bypassing your desktop security - not always but sometimes this happens-)

    all of those will reduce your potential exposure in the case of a breach should any link get taken out, using hte same login info for multiple websites (username email/passowrd) drastically increases your likelyhood of having one or all accounts taken over should any link get compromised.
     
  14. Wat?
     
  15. Or force you to choose from one of four 9 letter randomizations

    Or have wicked security only then to force you to choose a memorable question & answer for self-recovery / password reset from a list of options which aren't necessarily a great secret, such as your town of birth, or favourite football team.