Page 2 of 2 FirstFirst 12
Results 26 to 36 of 36

Thread: Change your passwords immediately!

  1. #26
    Join Date
    Aug 2007
    Location
    England
    Posts
    1,038
    Mentioned
    0 Post(s)
    Quoted
    6 Post(s)

    Default

    I changed mine, left it as the random gen one and keep my self always logged in so I never have to type my pass in either.
    Today is the first day of the rest of your life

  2. #27
    Join Date
    Jan 2011
    Posts
    335
    Mentioned
    0 Post(s)
    Quoted
    23 Post(s)

    Default

    Speaking of passwords, anyone know a good free brute-force program? I forgot one of my passwords on a file that I encrypted its double encrypted and I forgot the first password =/ prob no more than 6-8 digits, second pass is 20+ digits which I remember lol.
    If I see you autoing with level 3/default clothes/crap name I WILL report you. Auto Correctly.

  3. #28
    Join Date
    Jan 2007
    Posts
    8,876
    Mentioned
    123 Post(s)
    Quoted
    327 Post(s)

    Default

    @Wizzup?: So everyone who as access to admincp also has access to all of the forums users' passwords? Seems a bit odd to me :S

  4. #29
    Join Date
    Jan 2011
    Posts
    335
    Mentioned
    0 Post(s)
    Quoted
    23 Post(s)

    Default

    Quote Originally Posted by vashanddou View Post
    Speaking of passwords, anyone know a good free brute-force program? I forgot one of my passwords on a file that I encrypted its double encrypted and I forgot the first password =/ prob no more than 6-8 digits, second pass is 20+ digits which I remember lol.
    EDIT: because im only getting like 100p/s, 1k would be so much faster =/
    If I see you autoing with level 3/default clothes/crap name I WILL report you. Auto Correctly.

  5. #30
    Join Date
    Feb 2006
    Location
    Amsterdam
    Posts
    13,691
    Mentioned
    146 Post(s)
    Quoted
    130 Post(s)

    Default

    Quote Originally Posted by Zyt3x View Post
    @Wizzup?: So everyone who as access to admincp also has access to all of the forums users' passwords? Seems a bit odd to me :S
    No; it's not like that. They can CHANGE your password but not see or retrieve it. Unless they have access to the plugins which only I and Nielsie95 have. And Enigskai, an IRL mate and admin (because he's root on the server) had access to it. The cracker got in via one admin account (none of those) - found the HTTP auth for admincp in the PM inbox of this same admin. He then changed the password of Enigskai. (The admin was not protected from being modified - admins can change the password of other admins. Don't ask me why). Enigskai had access to the plugins which if basically PHP code. You can write a simple shell with phpBB code, and that's how he got access to the php files. Then you can read the mysql password for the user that owns the srl forums db. (And only the srl forums db). That's how he got the database. So, no. Admins don't have access to your passwords, and even still the passwords are salted and double md5'ed. (ugh, vBulletin again, but it's still somewhat protected if your password is not something like ``duck'')

    How to prevent this? I'm going to make all the admin accounts non-modifyable. So you can't change a password, or even mail, signature - without asking me. And I can only hope everyone will use a more secure password and not the same one on other sites. And obviously HTTP auth passwords will not be in PM inboxes any more...

    Quote Originally Posted by vashanddou View Post
    EDIT: because im only getting like 100p/s, 1k would be so much faster =/
    Well, I know there is johntheripper, but I don't think it will fit your purposes. Unless you have the hash of the first password - and it doesn't sound like you have. May I suggest using something like EncFS ( http://www.arg0.net/encfs ) in the future?



    The best way to contact me is by email, which you can find on my website: http://wizzup.org
    I also get email notifications of private messages, though.

    Simba (on Twitter | Group on Villavu | Website | Stable/Unstable releases
    Documentation | Source | Simba Bug Tracker on Github and Villavu )


    My (Blog | Website)

  6. #31
    Join Date
    Jan 2007
    Posts
    8,876
    Mentioned
    123 Post(s)
    Quoted
    327 Post(s)

    Default

    Quote Originally Posted by Wizzup? View Post
    How to prevent this? I'm going to make all the admin accounts non-modifyable. So you can't change a password, or even mail, signature - without asking me. And I can only hope everyone will use a more secure password and not the same one on other sites. And obviously HTTP auth passwords will not be in PM inboxes any more...
    Sounds good to me

  7. #32
    Join Date
    Apr 2007
    Location
    Lithuania
    Posts
    384
    Mentioned
    0 Post(s)
    Quoted
    15 Post(s)

    Default

    Quote Originally Posted by Harry View Post
    Cool, so if I figure out one of your sites I have a 3.84615385% chance to have your password from your other sites on my first guess.

    Just get Keepass or something similar and use a long unique password that you will never forget, and use automatically generated ones per-site.
    This could be a problem when you reinstall your OSes from time to time;o

  8. #33
    Join Date
    Dec 2006
    Location
    Sweden
    Posts
    10,812
    Mentioned
    3 Post(s)
    Quoted
    16 Post(s)

    Default

    Quote Originally Posted by bevardis View Post
    This could be a problem when you reinstall your OSes from time to time;o
    No, you backup that pass vault...


    Send SMS messages using Simba
    Please do not send me a PM asking for help; I will not be able to help you! Post in a relevant thread or make your own! And always remember to search first!

  9. #34
    Join Date
    Oct 2006
    Location
    Netherlands
    Posts
    3,285
    Mentioned
    105 Post(s)
    Quoted
    494 Post(s)

    Default

    Quote Originally Posted by Harry View Post
    No, you backup that pass vault...
    Depending on if the system re-install was out of free will... Unless you meant like keeping it on a usb stick, that would be awesome. Also isn't it possible(if windows) to just search up the old pass vault in system.old ...
    Working on: Tithe Farmer

  10. #35
    Join Date
    Jan 2011
    Posts
    335
    Mentioned
    0 Post(s)
    Quoted
    23 Post(s)

    Default

    Quote Originally Posted by Wizzup? View Post
    No; it's not like that. They can CHANGE your password but not see or retrieve it. Unless they have access to the plugins which only I and Nielsie95 have. And Enigskai, an IRL mate and admin (because he's root on the server) had access to it. The cracker got in via one admin account (none of those) - found the HTTP auth for admincp in the PM inbox of this same admin. He then changed the password of Enigskai. (The admin was not protected from being modified - admins can change the password of other admins. Don't ask me why). Enigskai had access to the plugins which if basically PHP code. You can write a simple shell with phpBB code, and that's how he got access to the php files. Then you can read the mysql password for the user that owns the srl forums db. (And only the srl forums db). That's how he got the database. So, no. Admins don't have access to your passwords, and even still the passwords are salted and double md5'ed. (ugh, vBulletin again, but it's still somewhat protected if your password is not something like ``duck'')

    How to prevent this? I'm going to make all the admin accounts non-modifyable. So you can't change a password, or even mail, signature - without asking me. And I can only hope everyone will use a more secure password and not the same one on other sites. And obviously HTTP auth passwords will not be in PM inboxes any more...



    Well, I know there is johntheripper, but I don't think it will fit your purposes. Unless you have the hash of the first password - and it doesn't sound like you have. May I suggest using something like EncFS ( http://www.arg0.net/encfs ) in the future?
    Well its some pretty important porn I gotta crack not gonna lie lol, so hopefully I remember the pass one day or find a good pass cracker for the first pass.
    If I see you autoing with level 3/default clothes/crap name I WILL report you. Auto Correctly.

  11. #36
    Join Date
    Sep 2011
    Posts
    6
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Thumbs up

    Quote Originally Posted by footballjds View Post
    correct

    rainbow tables are used where they take the most common passwords. run 4012 iterations of a specific algorithm compile it into a huge "rainbow table" and then brute force them all.

    for instance WPA2 security: (wiki)


    brute forcing has escalated from change a single letter at a time to just loading a big as table into memory and plowing through it...
    luv me sum rainbow hash

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •