Goto Chockstone Home

  Guide
  Gallery
  Tech Tips
  Articles
  Reviews
  Dictionary
  Links
  Forum
  Search
  About

      Sponsored By
      ROCK
   HARDWARE

  Shop

Black Diamond: 10mm DYNEX: 60cm (24") Runner. (Open round sling) Great for making "extender" quick-draws. IMO   $10.00
28% Off

Chockstone Photography Australian Landscape Photography by Michael Boniwell
Australian Landscape Prints





Chockstone Forum - Chockstone Feedback

Provide Feedback About This Website

 Page 2 of 2. Messages 1 to 20 | 21 to 36
Author
ummm hacked???

gremlin
20/12/2006
12:05:21 PM
Forget old school unix hashing, the world has moved onto MD5.
Is this what you're after?
http://rossm.net/Electronics/Computers/Software/ASP/MD5.htm
rolsen
20/12/2006
4:56:08 PM
On 20/12/2006 Mike wrote:
>Haven't got time to look into this just now. But if someone can dig up
>some VB script code for ASP that will do this that would be handy. I'll
>get onto it after the hols.
>___
>
So reading between the lines chockstone currently stores everyones passwords in plain text. This means a hacker could quite possibly have everyone's email address and password. If you use the same password on chockstone as elsewhere I suggest you go and change your passwords at your other sites. If you use the same password at chockstone to access your email - then it would be wise to change that immediately.

If your chockstone password is a "one off" then it may be worth changing it. If you care!

Richard

PS. Again, thanks Mike for putting the time into chockstone, your efforts are very much appreciated.


Zebedee
20/12/2006
9:54:31 PM
I would also like to thank Mike for putting the time into chockstone. But I have definitley recieved email from our hacker and they seem to have some info on passwords etc. May be a result of intrusion into my machine but I am changing all my passwords. Just saying.
dalai
20/12/2006
9:58:53 PM
How do you know it was from them?

I always just delete anything that I can't immediately recognise so wouldn't even know...

Zebedee
20/12/2006
10:18:56 PM
On 20/12/2006 dalai wrote:
>How do you know it was from them?

I have an email address that is exclusively used for chockstone, I do get the occasional spam but....
andaperson at yahoo com au
Subject: Welcome to HACKED BY TURK-SOPHİA
From:
Date: Fri, 24 Nov 2006 08:03:54 -0500


Welcome to HACKED BY TURK-SOPHİA

Please keep this email for your records. Your account information is as
follows:

----------------------------
Username: ******
Password: ******
----------------------------

Please do not forget your password as it has been encrypted in our
database and we cannot retrieve it for you. However, should you forget your
password you can request a new one which will be activated in the same
way as this account.

Thank you for registering.

(I have turned to stars the somewhat inside info)
dalai
20/12/2006
10:23:54 PM
Pretty clear I'd say...

Thanks
PensionerPower
21/12/2006
3:06:56 AM
On 20/12/2006 gremlin wrote:
>Actually both methods are correct.

No they are not.

When people talk of "encrypting" a password, they generally mean, to encipher the plaintext passwords using a symmetric cipher and a fixed secret key. This is *wrong*, because, anyone who can find that key can instantly decrypt all the passwords into their plaintext forms. No competent password storage scheme should ever let any password be decrypted into its plaintext form.

If you encrypt a password using a symmetric cipher, you should use the password *as* the key, to encrypt a known (public) constant, for example, all-zeros. Then, there is no "secret key" to recover (to decrypt all the other passwords). But this is not what people generally mean when they refer to "encrypting a password".

Best practice is *not* to encrypt passwords *at all*. Instead, salt them & hash them. Salting & hashing is fundamentally different to encrypting.
PensionerPower
21/12/2006
3:13:47 AM
On 20/12/2006 gremlin wrote:
>Forget old school unix hashing, the world has moved onto MD5.

MD5 has been cracked for yonks. It is trivally easy to generate MD5 collisions using software that is freely available on the web. This is not to say that MD5 is necessarily unsafe for storing password hashes. But as a matter of principle, no-one should use MD5 now; there are uncracked modern hashes such as SHAx that should be used instead.

gordoste
21/12/2006
10:16:29 AM
if i recall correctly you can easily generate MD5 collisions... but not in a useful way... so for example if someone was sending a message to a website saying "I am gordoste, transfer $100 from my account to account 12345" the hacker can send something else that appears to be from gordoste but he has no control over what that something is...

Mike
21/12/2006
1:31:42 PM
Okay, it's taken a couple of hours I didn't really have, but I've implemented the salt hash thing on the passwords. There are no plain text passwords in the database anymore.

Hopefully I haven't killed the auto login stuff. Please test.

IdratherbeclimbingM9
21/12/2006
1:51:13 PM
Don't have auto login switched on / never use it ...; but I just got the following message when I clicked on a post.

[deleted]

It seems random as I have been able to access the post I was clicking on OK since the message came up.

Mike
21/12/2006
1:53:54 PM
Think I fixed error. I was probably still debugging while you got it.

Rupert
21/12/2006
2:09:19 PM
Working ok here MIke.
rolsen
21/12/2006
2:39:13 PM
Thanks Mike! Well done.
PensionerPower
21/12/2006
9:37:34 PM
On 21/12/2006 gordoste wrote:

>if i recall correctly you can easily generate MD5 collisions... but not
>in a useful way... so for example if someone was sending a message to a
>website saying "I am gordoste, transfer $100 from my account to account
>12345" the hacker can send something else that appears to be from gordoste
>but he has no control over what that something is...

It's worse than that now. For example, http://cryptography.hyperlink.cz/MD5_collisions.html provides a program "pack3" with the following usage:

pack3 file1 file2 file3 file4 file5 file6

This creates two new programs "package1.exe" and "package2.exe" which have the same MD5 hash. However, package1.exe (when executed) will extract files 1-3, whereas package2.exe (when executed) will extract files 4-6 ! (oops)

This does not necessarily make MD5 unsafe for storing salted password hashes, because I think that it is still not possible to determine a plaintext which, when hashed, will produce a given MD5 value. However, since at least /some/ of MD5's security properties have clearly been broken, we really shouldn't be using it for anything new.

Cheers,
PP

gordoste
21/12/2006
10:47:00 PM
very informative, it is worse now... thanks for info :)

 Page 2 of 2. Messages 1 to 20 | 21 to 36
There are 36 messages in this topic.

 

Home | Guide | Gallery | Tech Tips | Articles | Reviews | Dictionary | Forum | Links | About | Search
Chockstone Photography | Landscape Photography Australia | Australian Landscape Photography

Please read the full disclaimer before using any information contained on these pages.



Australian Panoramic | Australian Coast | Australian Mountains | Australian Countryside | Australian Waterfalls | Australian Lakes | Australian Cities | Australian Macro | Australian Wildlife
Landscape Photo | Landscape Photography | Landscape Photography Australia | Fine Art Photography | Wilderness Photography | Nature Photo | Australian Landscape Photo | Stock Photography Australia | Landscape Photos | Panoramic Photos | Panoramic Photography Australia | Australian Landscape Photography | Mothers Day Gifts | Gifts for Mothers Day | Mothers Day Gift Ideas | Ideas for Mothers Day | Wedding Gift Ideas | Christmas Gift Ideas | Fathers Day Gifts | Gifts for Fathers Day | Fathers Day Gift Ideas | Ideas for Fathers Day | Landscape Prints | Landscape Poster | Limited Edition Prints | Panoramic Photo | Buy Posters | Poster Prints