Page 1 of 1

Database password crackable! :(

Posted: Fri Apr 08, 2005 12:50 pm
by Beaver6813
OK There is a really big problem with phpbb, everyone thought that the database password encoding was uncrackable, MD5. I was searching through security addons on google when it came up with an md5 cracker :?: I clicked on it, read it, it was on a forum, downloaded it and tried it with my password in my database. It CRACKED IT :cry: :oops:

The program was called MD5 cacker, it uses dictionary attacks, perhaps you guys at phpbb can do something to block it out, maybe change it to a more secure coding in your next update :idea:

Please flame don't me for finding it, i am telling you guys so you know that there is a security problem. Alternatively you could just remind everyone to change to a password that isn't in the dictionary.

Beaver6813 --- SRC Hosting

Posted: Fri Apr 08, 2005 1:18 pm
by dayjah
Hi Beaver, I guess the problem isn't phpbb based. It is anything that is MD5 based. As an ex System admin for a big company I can assure you passwords can always be broken, the question is more how long will it take for it to be broken.

MD5 cracker exists, John the ripper exists (unix passwords), brute force exists and will exist forever!

As a phpBB admin, host it is your task to ensure that people are advised to chose a more interesting password that is not dictionary based.

That said, phpbb could consider integrating a settable option that checks people's password using libcrack / libcrypt (the correct library's name escapes me atm)?

Michael Ossareh

Re: Database password crackable! :(

Posted: Fri Apr 08, 2005 3:44 pm
by nurhendra
Not flaming you, etc but..
Beaver6813 wrote: The program was called MD5 cacker, it uses dictionary attacks,

It means your password exists in the dictionary!
Then the weakness is on your poor choice of words. A good security practice is to not using dictionary words as your password. You can still use some variation of dictionary words (i.e. CapItaLizAtiOn, numb3rl3tt3r5, verylongpassphrase, etc.). While this is not fool proof, a basic dictionary attack will not get your MD5 easily. The cracking program will have to brute force through it for every letter in the word in the phrase.

Also, MD5 Cracker is actually not reversing your MD5 code into cleartext, but guessing cleartext and convert it to MD5, hoping it will match with yours.

Hopefully this will ease your (and everyone's) mind a bit.

Posted: Fri Apr 08, 2005 5:45 pm
by Beaver6813
It converts its list of passwords into md5 hashes, matches it up to the one you gave it. Perhaps something should be added to phpbb to stop you choosing passwords that are in the dictionary.

IE: It tries to hack itself, if it can you have to choose a different password :idea: :?:

Posted: Fri Apr 08, 2005 7:33 pm
by starfoxtj
Dude anyone with just a tiny bit of computer know-how can crack a weak password in seconds.

People need to learn to use strong passwords!

Strong passwords will take YEARS to break.

For example, ill give you a nickle if you can crack this one:

Note: Just so you know, the password is:

Posted: Fri Apr 08, 2005 7:38 pm
by The Techboy
Yea, I've saw the thing. My *old* password here was [decided to remove that when i realised it was my root password somewhere else]...anybody, seriously, with a bit of time could work something like that out.

Again, keep your passwords like that one above and you'll be totally safe from that sorta thing.

Re: Database password crackable! :(

Posted: Sat Apr 09, 2005 1:37 pm
by jwunderly
Beaver6813 wrote: Perhaps something should be added to phpbb to stop you choosing passwords that are in the dictionary.

Are you volunteering to create a mod for this?

Posted: Sat Apr 09, 2005 3:36 pm
by nurhendra
That's a nice idea!
The mod itself should be too hard.
Just when someone clicked on submit, the mod should compare the entered password with a dictionary.
Now, that's the hard part. How to have a good dictionary, and how to make dictionary-password checking less slow.

Posted: Sat Apr 09, 2005 3:42 pm
by DemonBob
Acctually the more feesible option would been when they clicked on submit, check the password, character by charater and if does not have some numbers and atleast one or two other chacter like a $ or a ^ then throw them back to the register page.

Acctually would not be that hard at all, and could add an option in the ACP to turn it on or off....

Posted: Sat Apr 09, 2005 4:03 pm
by nurhendra
Yup! That's a good start.
Maybe in ACP we can enforce a minimum length of password, a requirement to have number and letter (and symbol too?), capitalization, etc.

I guess this topic should then get moved to the MOD discussions, hoping someone with MOD ability to start doing this.

Posted: Fri Sep 09, 2005 12:57 pm
by Beaver6813
Good idea, i might have a go at creating a mod for that problem...

Posted: Fri Sep 09, 2005 2:29 pm
by Riamus
You could easily set up regex for verifying a possible password.

The question is... why? As long as any admins and moderators for the forum are using GOOD passwords, you have nothing to worry about (if a user is hacked, so what?). And, if they aren't... well, it's their own fault. Keep regular backups of your database/files anyhow.

Anyhow, people should just realize that they should pick decent passwords. You don't even HAVE to use numbers or symbols for it to be a very good password. Granted, brute force is more likely to go through the alphabet first and then numbers and then symbols, but even so... a long alpha password that has no dictionary reference would survive all but serious hacking attempts. I'm not saying not to use numbers or symbols... those increase security. I'm just saying that even an alpha password can be quite secure.

People just like easy-to-remember passwords. Many even write them down in a book or a paper and leave that right next to their computers. Heh.

The easy thing to do is just put a warning next to the password stating that it is very easy to hack passwords that are words. For that matter, if you just put text next to it stating it has to be X+ letters long and include at least one number or symbol, most people will follow the text by default even if there wasn't anything to prevent using a 2 letter alpha password, for example.

Having it check wouldn't be bad, if it's configurable by the admin.