Database password crackable! :(

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
Beaver6813
Registered User
Posts: 3
Joined: Fri Apr 08, 2005 12:42 pm
Location: England
Contact:

Database password crackable! :(

Post by Beaver6813 » Fri Apr 08, 2005 12:50 pm

OK There is a really big problem with phpbb, everyone thought that the database password encoding was uncrackable, MD5. I was searching through security addons on google when it came up with an md5 cracker :?: I clicked on it, read it, it was on a forum, downloaded it and tried it with my password in my database. It CRACKED IT :cry: :oops:

The program was called MD5 cacker, it uses dictionary attacks, perhaps you guys at phpbb can do something to block it out, maybe change it to a more secure coding in your next update :idea:

Please flame don't me for finding it, i am telling you guys so you know that there is a security problem. Alternatively you could just remind everyone to change to a password that isn't in the dictionary.

Beaver6813 --- SRC Hosting www.srchosting.com

dayjah
Registered User
Posts: 6
Joined: Fri Apr 08, 2005 12:08 pm

Post by dayjah » Fri Apr 08, 2005 1:18 pm

Hi Beaver, I guess the problem isn't phpbb based. It is anything that is MD5 based. As an ex System admin for a big company I can assure you passwords can always be broken, the question is more how long will it take for it to be broken.

MD5 cracker exists, John the ripper exists (unix passwords), brute force exists and will exist forever!

As a phpBB admin, host it is your task to ensure that people are advised to chose a more interesting password that is not dictionary based.

That said, phpbb could consider integrating a settable option that checks people's password using libcrack / libcrypt (the correct library's name escapes me atm)?

--
dayjah
Michael Ossareh

nurhendra
Registered User
Posts: 144
Joined: Mon Feb 28, 2005 5:03 pm
Location: Jakarta

Re: Database password crackable! :(

Post by nurhendra » Fri Apr 08, 2005 3:44 pm

Not flaming you, etc but..
Beaver6813 wrote: The program was called MD5 cacker, it uses dictionary attacks,


It means your password exists in the dictionary!
Then the weakness is on your poor choice of words. A good security practice is to not using dictionary words as your password. You can still use some variation of dictionary words (i.e. CapItaLizAtiOn, numb3rl3tt3r5, verylongpassphrase, etc.). While this is not fool proof, a basic dictionary attack will not get your MD5 easily. The cracking program will have to brute force through it for every letter in the word in the phrase.

Also, MD5 Cracker is actually not reversing your MD5 code into cleartext, but guessing cleartext and convert it to MD5, hoping it will match with yours.

Hopefully this will ease your (and everyone's) mind a bit.
:)

Beaver6813
Registered User
Posts: 3
Joined: Fri Apr 08, 2005 12:42 pm
Location: England
Contact:

Post by Beaver6813 » Fri Apr 08, 2005 5:45 pm

It converts its list of passwords into md5 hashes, matches it up to the one you gave it. Perhaps something should be added to phpbb to stop you choosing passwords that are in the dictionary.

IE: It tries to hack itself, if it can you have to choose a different password :idea: :?:

starfoxtj
Registered User
Posts: 3714
Joined: Tue Jul 29, 2003 2:01 am
Contact:

Post by starfoxtj » Fri Apr 08, 2005 7:33 pm

Dude anyone with just a tiny bit of computer know-how can crack a weak password in seconds.

People need to learn to use strong passwords!

Strong passwords will take YEARS to break.

For example, ill give you a nickle if you can crack this one:
932e50e29edbb2e51416d7915a9ce186


Note: Just so you know, the password is:
9Vbbv'*v(.WLn&"nq!O#
Admin ToolKit v2.1a - An Admins most helpful tool for user management. Now Supports Mass User Deletion!
Change User's: names, passwords, emails, active status and avatar/pm permissions.
Ban/Unban Users, change Post and Resync Counts, and promote/demote users to admin.
Completely independent from your phpbb user account settings. No installation required, just upload one file.
User Upload ToolKit Beta - A quick and easy, 30 second-install, attachment mod. Now Supports Dynamic Thumbnails!

The Techboy
Registered User
Posts: 207
Joined: Tue May 04, 2004 7:37 pm

Post by The Techboy » Fri Apr 08, 2005 7:38 pm

Yea, I've saw the thing. My *old* password here was [decided to remove that when i realised it was my root password somewhere else]...anybody, seriously, with a bit of time could work something like that out.

Again, keep your passwords like that one above and you'll be totally safe from that sorta thing.
Eat recycled food. It's good for the environment and OK for you.

User avatar
jwunderly
Registered User
Posts: 5740
Joined: Sun Mar 30, 2003 2:18 pm
Location: Easton, PA (in the groove)

Re: Database password crackable! :(

Post by jwunderly » Sat Apr 09, 2005 1:37 pm

Beaver6813 wrote: Perhaps something should be added to phpbb to stop you choosing passwords that are in the dictionary.


Are you volunteering to create a mod for this?
John (A cranky old man. "Looking for an echo ...")
using any control-panel install/update is like shooting yourself in the foot. It won't kill you, but you're really going to hobble around until it heals.
Using the wrong tools (Front Page, DreamWeaver) gives the same results
Do not PM me for Support!

nurhendra
Registered User
Posts: 144
Joined: Mon Feb 28, 2005 5:03 pm
Location: Jakarta

Post by nurhendra » Sat Apr 09, 2005 3:36 pm

That's a nice idea!
The mod itself should be too hard.
Just when someone clicked on submit, the mod should compare the entered password with a dictionary.
Now, that's the hard part. How to have a good dictionary, and how to make dictionary-password checking less slow.
Hmm..

DemonBob
Registered User
Posts: 226
Joined: Thu Jan 15, 2004 7:04 pm
Location: Louisiana, United States
Contact:

Post by DemonBob » Sat Apr 09, 2005 3:42 pm

Acctually the more feesible option would been when they clicked on submit, check the password, character by charater and if does not have some numbers and atleast one or two other chacter like a $ or a ^ then throw them back to the register page.

Acctually would not be that hard at all, and could add an option in the ACP to turn it on or off....

nurhendra
Registered User
Posts: 144
Joined: Mon Feb 28, 2005 5:03 pm
Location: Jakarta

Post by nurhendra » Sat Apr 09, 2005 4:03 pm

Yup! That's a good start.
Maybe in ACP we can enforce a minimum length of password, a requirement to have number and letter (and symbol too?), capitalization, etc.

I guess this topic should then get moved to the MOD discussions, hoping someone with MOD ability to start doing this.
:)

Beaver6813
Registered User
Posts: 3
Joined: Fri Apr 08, 2005 12:42 pm
Location: England
Contact:

Post by Beaver6813 » Fri Sep 09, 2005 12:57 pm

Good idea, i might have a go at creating a mod for that problem...

Riamus
Registered User
Posts: 886
Joined: Tue Jun 21, 2005 7:40 pm

Post by Riamus » Fri Sep 09, 2005 2:29 pm

You could easily set up regex for verifying a possible password.

The question is... why? As long as any admins and moderators for the forum are using GOOD passwords, you have nothing to worry about (if a user is hacked, so what?). And, if they aren't... well, it's their own fault. Keep regular backups of your database/files anyhow.

Anyhow, people should just realize that they should pick decent passwords. You don't even HAVE to use numbers or symbols for it to be a very good password. Granted, brute force is more likely to go through the alphabet first and then numbers and then symbols, but even so... a long alpha password that has no dictionary reference would survive all but serious hacking attempts. I'm not saying not to use numbers or symbols... those increase security. I'm just saying that even an alpha password can be quite secure.

People just like easy-to-remember passwords. Many even write them down in a book or a paper and leave that right next to their computers. Heh.

The easy thing to do is just put a warning next to the password stating that it is very easy to hack passwords that are words. For that matter, if you just put text next to it stating it has to be X+ letters long and include at least one number or symbol, most people will follow the text by default even if there wasn't anything to prevent using a 2 letter alpha password, for example.

Having it check wouldn't be bad, if it's configurable by the admin.
Kakkoii Translation Team
格好いい 翻訳

Locked

Return to “2.0.x Support Forum”