Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Warning for all those with a Dreamhost account...

Author
Message
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 8th Jun 2007 12:18
Link
http://www.dreamhoststatus.com/2007/06/06/security-breach/

Basically, it looks like they store your password in plain text (otherwise, how would the intruder have gained access to the passwords).

[center]
Back to top
Profile PM Email Website
PowerSoft
20
Years of Service
User Offline
Joined: 10th Oct 2004
Location: United Kingdom
Posted: 8th Jun 2007 12:21
Link
Someone screwed that one up...

The Innuendo's, 4 Piece Indie Rock Band
http://theinnuendos.tk:::http://myspace.com/theinnuendosrock
Back to top
Profile PM Email Website
Jess T
Retired Moderator
21
Years of Service
User Offline
Joined: 20th Sep 2003
Location: Over There... Kablam!
Posted: 8th Jun 2007 14:37 Edited at: 8th Jun 2007 14:37
Link
They didn't necessarily store passwords in plain text. They only gained access to them.

Now that they have them, if they have the right software and a spare PC, they can start cracking them one-by-one to get access.
I think it's possible to do a successful dictionary attack on an MD5#'d password in under 10 minutes now

Nintendo DS & Dominos :: DS Dominos
http://jt0.org
Back to top
Profile PM Email Website
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 8th Jun 2007 14:37
Link
depending on the character length yes.

Back to top
Profile PM Email
Benjamin
21
Years of Service
User Offline
Joined: 24th Nov 2002
Location: France
Posted: 8th Jun 2007 15:16
Link
Quote: "I think it's possible to do a successful dictionary attack on an MD5#'d password in under 10 minutes now"

Is that something to be happy about?

Tempest (DBP/DBCe)
Multisync V1 (DBP/DBCe)
Back to top
Profile PM Email
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 8th Jun 2007 15:43
Link
They say:
Quote: "From our web panel they were able to access individual user password information"


That basically must mean 1 of 2 things:
1) They know the question and answer to your security question.
2) They got your password. The only way to get your password is if its either stores in plain text or using a reversible decryption technique (like and XOR pattern or something).

If its 1 - then Dreamhost SHOULDN'T be displaying the answer.
If its 2 - then shame on Dreamhost for exercising such shoddy security measures.

Then again - you get what you pay (or in this case, dont pay) for.

[center]
Back to top
Profile PM Email Website
Silvester
18
Years of Service
User Offline
Joined: 7th Dec 2005
Location: Netherlands
Posted: 8th Jun 2007 16:00
Link
If i may ask,What is DreamHost anyway?
Back to top
Profile PM Email
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 8th Jun 2007 16:13
Link
Google is your friend...
http://www.dreamhost.com/

[center]
Back to top
Profile PM Email Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 8th Jun 2007 16:16
Link
Quote: "That basically must mean 1 of 2 things:
1) They know the question and answer to your security question.
2) They got your password. The only way to get your password is if its either stores in plain text or using a reversible decryption technique (like and XOR pattern or something)."


Well, one way md5 hashes are cracked via brute force. Like Jess T noted, in under 10 minutes.

Back to top
Profile PM Email Website
John Y
Synergy Editor Developer
22
Years of Service
User Offline
Joined: 4th Sep 2002
Location: UK
Posted: 8th Jun 2007 18:09
Link
Doesn't MD5 work one way though, meaning you can convert a string into a checksum, but not back again.

I know my friend who is doing Cryptography at Masters Level was telling me about one way encryption.

Get the new DarkBasic Professional IDE for only $19.99/~£9.85
Http://synergyide.thegamecreators.com
Http://www.digitalzenith.net
Back to top
Profile PM Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 8th Jun 2007 18:15
Link
Yes, but with brute force, you run a huge file (talking gigs here) of possible password combinations. You check the md5 hash in the dictionary file against the md5 hash in your database. If they match, you've got a password.

(This is well known stuff, which is why I'm posting it here.) There's only one truly secure method of encryption. The one time pad But it wouldn't really work for this type of use.

Back to top
Profile PM Email Website
John Y
Synergy Editor Developer
22
Years of Service
User Offline
Joined: 4th Sep 2002
Location: UK
Posted: 8th Jun 2007 18:18
Link
Quote: "Yes, but with brute force, you run a huge file (talking gigs here) of possible password combinations. You check the md5 hash in the dictionary file against the md5 hash in your database. If they match, you've got a password."


Ah, well they wouldn't break my password then, the chances of it being generated is very small.

Synergy IDE and Synergy Editor
http://forum.thegamecreators.com/?m=forum_read&i=29
Http://www.digitalzenith.net
Back to top
Profile PM Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 8th Jun 2007 18:20 Edited at: 8th Jun 2007 18:22
Link
The dictionary is generally created programatically, with all possible password combinations upto x number of characters.

Your password I guarantee is in the dictionary

But you got the idea, a smaller dictionary (ie, faster but less likely to hit the password) may miss your password if it is complex.

Back to top
Profile PM Email Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 8th Jun 2007 18:30
Link
Jerico - that's partially true. Its not a GUARANTEED match.

Due to the way MD5 works (and I dont know the DETAILS - however from a logical perspective), you're generating a 32 hex character hash based on whatever the input is.

32 Hex characters is about 3.4 x 10^38. But that's only 32 HIGHLY limited characters. Imagine how many combinations there would be if, instead of 16 variants for each column, you had 92 (26 upper, 26 lower, 10 number and 30 character) variables.

If you take two 32 character ASCII strings and MD5 them - with the right two combinations of strings - you WILL logically get the same hash (maybe even for 3, 4 or more strings too).

What makes it worse is that SO many people base their password on a dictionary word just to make their life easy. A modern computer can iterate through the oxford dictionary and create MD5's of them in next to no time. As Jess said - 10 minutes for a standard dictionary attack.

But a reverse MD5 lookup is still no guarantee.

[center]
Back to top
Profile PM Email Website
the_winch
21
Years of Service
User Offline
Joined: 1st Feb 2003
Location: Oxford, UK
Posted: 8th Jun 2007 18:47 Edited at: 8th Jun 2007 20:33
Link
Quote: "What makes it worse is that SO many people base their password on a dictionary word just to make their life easy. A modern computer can iterate through the oxford dictionary and create MD5's of them in next to no time. As Jess said - 10 minutes for a standard dictionary attack."


Which is why you should salt passwords.
http://en.wikipedia.org/wiki/Salt_(cryptography)

By way of demonstration, he emitted a batlike squeak that was indeed bothersome.
Back to top
Profile PM Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 8th Jun 2007 18:48 Edited at: 8th Jun 2007 18:53
Link
[edit]JYNX![/edit]

I won't disagree. Another way to limit the effectiveness of a dictionary hack is to use salt before generating the MD5 to store or compare in the database. This way, the password is not mypassword55 that the user enters.. It would be something completely different.

http://en.wikipedia.org/wiki/Salt_(encryption)

So if the hacker were to get at the database, he might find that the md5 reverses to "somekindagarbagepassword", and if he tries to enter that on the site, it wouldn't work

I say, genious

This of course, would fail, if the hacker knows how you're salting the password, so to speak^.^

Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2024-11-18 17:31:58
Your offset time is: 2024-11-18 17:31:58