Jump to content

how to find out if your password has been decrypted


Recommended Posts

Guest spazi
Posted

Hi guys, Ubuntuforums got hacked yesterday. On that forum I used my main password (dumb, I know)

I have different variations of my password, but I thought, how would I know if my password had been cracked.

I'm guessing ubuntu forums hashed their passwords in md5 unsalted/salted or whatever.

So I encrypted my passwords in ubuntu using the command:

$ echo -n [password] | md5sum

I took the output of that md5hash and ran it against a md5 database online which I use frequently.

http://www.md5decrypter.co.uk/

And yes, my password wasn't strong enough :/

you could try other hash algorithms, but it's a nice way to find out of your password is strong enough of if it's cracked or not. There are several other hash databases to check out.

Posted

Does the uBuntu forums store in plain md5, or do they use a salt(which I would think they do). Most every forum software today, uses some form of salting, even crappy phpbb I believe uses salts with the passwords and aren't stored in plain MD5. If uBuntu stored them in plain md5, well, pretty much done from that end as md5 passwords can be cracked pretty quickly when unstalted(and salted if you have enough GPU cracking machines) and under a certain character length, and there things like hashcat makes even a paltry cuda based netbook GPU capable of cracking md5 passwords easy in a few hours, not to mention the hundreds of online cracking sites that have tables for everything under the sun.

Even salted though, if the site got hacked, attackers could get a copy of their salt and use it to crack the db even quicket, so change all your passwords if you used the same password on more than one site or tied to more than one email or worst, your home OS. Hashes stored based on more than one salt and minimum length of 10 or more characters, just means it will take longer to crack if its still md5 based, so length and complexity + salt != more secure, although in md5's, the longer more complex the password was, the better chance of withstanding a cracking attack session if someone gives up on cracking it if its taking them too long. Depends on the attackers patience. It really just comes down to a time tradeoff though and how long someone wants to let it run, with GPU cracking making it take only a few weeks in most cases when not using precomputed tables.

I haven't seen the news on what happened at the uBuntu site, or how they store their info, but would hope they stored them in some other manner with other mechanisms in place to keep intruders out, and send site wide password resets to end users(although if you used the same password for your email as you did on the site, shit out of luck on that one, make sure you change email passwords before logging back in with new passwords on their site).

Guest spazi
Posted

I have different variations of my password. From what I've read today, ubuntu forums used an outdated version of vbulletin, that's how they got hacked. Not sure what algorithm they use, but I posted this "guide" if anyone feels they have a unsecure password, this is how they could check it.

But yeah, long passwords, uppercase/lowercase and numbers and the hacker looses patience.

Posted

I was looking at that too today on Ubuntu, and just verifying everywhere else I frequent didn't have the same password. But certainly not good for Canonical....

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...