|
|
 |
2p2 Hacked. - Page 3 |
 |
1
 |
taco Iceland. Apr 28 2012 15:51. Posts 1793 | | |
| | On April 28 2012 13:28 Highcard wrote:
Show nested quote +
On April 28 2012 03:29 Liquid`Meat wrote:
| | On April 28 2012 03:05 capaneo wrote:
How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs.
Can someone who is a more computer savy confirm this one way or the other? |
There are huge lists available in which you can look up the unencrypted version of a md5 encrypted pw, so called rainbow tables. If you don't have an extremely long pw it's likely that your pw appears in that md5 list. So for decent password security it's essential to use a salt, which means that you add an extra sequence before encrypting a pw. If you add something like '1a2a3a4a5a6a7a8a9a' to 'mypw' before encrypting it, you get '1a2a3a4a5a6a7a8a9amypw' which is much less likely to be found in such a list.
|
so you are saying they did not use salt at 2p2? |
Hmm? Liqui'dMeat was just responding to a general inquiry and said nothing at all about anything directly related to 2p2. |
|
| 5
 |
Meat . Apr 29 2012 06:44. Posts 3386 | | |
| | On April 28 2012 14:51 taco wrote:
Show nested quote +
On April 28 2012 13:28 Highcard wrote:
| | On April 28 2012 03:29 Liquid`Meat wrote:
| | On April 28 2012 03:05 capaneo wrote:
How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs.
Can someone who is a more computer savy confirm this one way or the other? |
There are huge lists available in which you can look up the unencrypted version of a md5 encrypted pw, so called rainbow tables. If you don't have an extremely long pw it's likely that your pw appears in that md5 list. So for decent password security it's essential to use a salt, which means that you add an extra sequence before encrypting a pw. If you add something like '1a2a3a4a5a6a7a8a9a' to 'mypw' before encrypting it, you get '1a2a3a4a5a6a7a8a9amypw' which is much less likely to be found in such a list.
|
so you are saying they did not use salt at 2p2? |
Hmm? Liqui'dMeat was just responding to a general inquiry and said nothing at all about anything directly related to 2p2. |
Exactly, I have no idea if they did use a proper salt. All I know is that it should not be possible to decrypt a md5 hash so 'decryption' is usually done by looking up the hash in a database.
| |
No. MD5 is not encryption (though it may be used as part of some encryption algorithms), it is a one way hash function. Much of the original data is actually "lost" as part of the transformation.
Think about this: An MD5 is always 128 bits long. That means that there are 2128 possible MD5 hashes. That is a reasonably large number, and yet it is most definitely finite. And yet, there are an infinite number of possible inputs to a given hash function (and most of them contain more than 128 bits, or a measly 16 bytes). So there are actually an infinite number of possibilities for data that would hash to the same value. The thing that makes hashes interesting is that it is incredibly difficult to find two pieces of data that hash to the same value, and the chances of it happening by accident are almost 0.
A simple example for a (very insecure) hash function (and this illustrates the general idea of it being one-way) would be to take all of the bits of a piece of data, and treat it as a large number. Next, perform integer division using some large (probably prime) number n and take the remainder (see: Modulus). You will be left with some number between 0 and n. If you were to perform the same calculation again (any time, on any computer, anywhere), using the exact same string, it will come up with the same value. And yet, there is no way to find out what the original value was, since there are an infinite number of numbers that have that exact remainder, when divided by n.
That said, MD5 has been found to have some weaknesses, such that with some complex mathematics, it may be possible to find a collision without trying out 2128 possible input strings. And the fact that most passwords are short, and people often use common values (like "password" or "secret") means that in some cases, you can make a reasonably good guess at someone's password by Googling for the hash or using a Rainbow table. That is one reason why you should always "salt" hashed passwords, so that two identical values, when hashed, will not hash to the same value.
Once a piece of data has been run through a hash function, there is no going back. |
|
|
| 4
 |
TianYuan  Korea (South). Apr 29 2012 10:31. Posts 6817 | | |
On NoahSD's blog he said the salts used had been compromised as well o.o
| | The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.) |
|
| |
|
| 1
 |
capaneo Canada. Apr 29 2012 22:05. Posts 8465 | | |
| | On April 28 2012 03:29 Liquid`Meat wrote:
Show nested quote +
On April 28 2012 03:05 capaneo wrote:
How can you decrypt passwords? I assume they are using an md5 hash. How can a person who is hacking 2p2 of all places can decrypt that? I think that part is just bs.
Can someone who is a more computer savy confirm this one way or the other? |
There are huge lists available in which you can look up the unencrypted version of a md5 encrypted pw, so called rainbow tables. If you don't have an extremely long pw it's likely that your pw appears in that md5 list. So for decent password security it's essential to use a salt, which means that you add an extra sequence before encrypting a pw. If you add something like '1a2a3a4a5a6a7a8a9a' to 'mypw' before encrypting it, you get '1a2a3a4a5a6a7a8a9amypw' which is much less likely to be found in such a list.
|
thanks meat, that was very informative. |
|
| In US everyone is happy as long as all the prices are rising. Unless its crude oil - Marc Faber | |
|
| 1
 |
50bani Romania. Apr 30 2012 03:37. Posts 4 | | |
| | On April 29 2012 09:31 TianYuan wrote:
On NoahSD's blog he said the salts used had been compromised as well o.o
Show nested quote +
The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.) |
|
Wait a minute, the salt adds a bit of complexity to the password, "a bit more" than what the original password was.
The attack would involve Rainbow Tables, where you run all the common passwords through the hash function and compare the results with the hashes you stole. So all common ones are revealed. The salt makes the problem more difficult, since you would need a much larger rainbow table for all the password with all the salts. In a way all passwords become unique, and more difficult than what the account owner intended.
The only way salts are compromised is if they are reused for multiple accounts, having them in the same file with the hashed passwords is OK. |
|
| 5
|
Meat . Apr 30 2012 04:06. Posts 3386 | | |
| | On April 29 2012 09:31 TianYuan wrote:
On NoahSD's blog he said the salts used had been compromised as well o.o
Show nested quote +
The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.) |
|
Hmm that sucks, the traditional tables are still useless but then they can create a custom rainbow table for 2+2 much easier. |
|
| 1
|
bigredhoss Cook Islands. May 01 2012 15:13. Posts 8649 | | |
it looks like the hacker broke 2+2's will to live, gone forever RIP |
| |
|
| 4
|
TianYuan Korea (South). May 02 2012 08:58. Posts 6817 | | |
Why scare me like that o.o
| | Update May 1st
After closer inspection, it’s now clear to us that the 2 + 2 Forums are more likely to come back to life next week rather than this week even though at this point in time we cannot give a definite date, and all efforts are being made to shorten the amount of downtime as much as possible. Mason will be on the next episode of the PokerCast (being recorded tonight) discussing this, and our May 2+2 Internet Magazine should be up before the weekend.
|
Does not sound like "gone forever".
I really, really wish I remembered what I had made my password for the site so I know if I should be worried --- already changed a few important ones just because, well, no reason not to. Pretty sure I had it set to a useless 2p2 only password tho. |
|
| Hm.. Off-suite socks.. | Last edit: 02/05/2012 08:59 |
|
| 1
|
bigredhoss Cook Islands. May 02 2012 23:00. Posts 8649 | | |
nah gone forever 93% sure |
| |
|
| 1
 |
intown Belgium. May 02 2012 23:49. Posts 121 | | |
2p2 might've been stupid enough to "give away" their hosting account details. i feel that is what happened due to the length of downtime. who the hell has a giant ass site and lets it go offline for days if they properly backed shit up. |
|
| 4
|
TianYuan Korea (South). May 03 2012 00:27. Posts 6817 | | |
| | On May 02 2012 22:49 intown wrote:
2p2 might've been stupid enough to "give away" their hosting account details. i feel that is what happened due to the length of downtime. who the hell has a giant ass site and lets it go offline for days if they properly backed shit up. |
I thought the issue was security -.- |
| |
|
| 1
|
intown Belgium. May 03 2012 03:45. Posts 121 | | |
Probably is but still it's not hard to isolate and plug the problem once you're offline. Unless if the database was fucked up bad. |
|
| 1
|
Skew United States. May 07 2012 15:46. Posts 62 | | |
fwiw even if the site in question takes into account the most recent standards of securing passwords (2+2 didn't because vbulletin is pure shit software), that's still not even close to a guarantee that the attacker can't reveal your passwords. there's just too much computing power available these days. for all of you who use online banking, and poker sites with lots of money, use long mother fucking passwords, make them unique per-site, and if you have the option of using a physical authenticator, GET IT. |
|
| 4
 |
Roald Tuvalu. May 08 2012 18:51. Posts 2683 | | |
This is causing me quite a bit of consternation since my own income has been directly impacted by this downtime  |
|
| drugs, animals, children are welcome -Xavier | |
|
| 1 | |
2+2 was to easy to hack, they should rebrand it to:
this should do it |
| |
|
| 1
 |
2c0ntent Egypt. May 08 2012 21:45. Posts 1387 | | |
| | On May 08 2012 17:51 Roald wrote:
This is causing me quite a bit of consternation since my own income has been directly impacted by this downtime |
increase search engine rank ?_? |
| |
|
| 1 | |
so is 2+2 finished? is anything being done |
|
| Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light not our darkness that most frightens us and as we let our own lights shine we unconsciously give other people permision to do the same | |
|
| 1
|
intown Belgium. May 09 2012 15:39. Posts 121 | | |
merge this with FTP threads more like |
|
| 1
|
TheTrees United States. May 12 2012 00:04. Posts 1592 | | | |
|
| 1
|
bigredhoss Cook Islands. May 12 2012 00:38. Posts 8649 | | |
i have 3 accounts for 2p2 and no longer have the e-mail addresses to any of them LOL gg |
| |
|
| |
|
|
 Poker Streams | |
|
Contact Users: 805 Active, 0 Logged in - Time: 16:21
,
,
,
,