How to get a user's password?

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
KyferEz
Registered User
Posts: 20
Joined: Tue Jun 28, 2005 7:40 pm
Contact:

Post by KyferEz »

bronxgodzilla wrote:
KyferEz wrote:
Kevin Clark wrote:Even with the password, you can't get any information outside of what's already in the profile.

And no, there isn't a way to decrypt MD5.
Yes, I can, depending upon the spammer. And, I didn't ask if MD5 could be decrypted. I asked if a MOD would REPLACE the MD5 hash with a reversible encryption. So that the passwords would be stored NOT using MD5, but using a reversible encryption. So the forum would no longer use MD5.


Thank you KyferEz for being precise and practical. Would your proposed Mod's algorthyms also serve to recognize patterns of certain spammers, of/to which you were previously alluding ? Very interesting. This little ditty alone could have wide-range applications for everyone. -- and make you rich :-)

I'm not interested in making money off of it. I'm pissed at spammers and just want to kill their illegal business empire.

What you suggest for pattern recognizing is another possibility that we have been looking into. There are usually patterns to their registrations, however, they are so broad that it is difficult to match them without also matching valid users.

One of the biggest problem though, is that spammers keep tabs of anti-spam mods, and analyze them to find ways around them.

So we fight directly. We complain to the websites, place fake orders, reverse engineer any of their software we come across, and find any way we can to make it harder for them to operate.

KyferEz
TheCarPCStore.com Forums - Get help with your CarPC
Electronics Calculators and other useful data
----------------
Kill Spammers - Spam Fighter's Forums <-- DDoSed by spammers from Aug 27, 07 to Sept 10, 07
bronxgodzilla
Registered User
Posts: 65
Joined: Sun Jul 23, 2006 9:38 am
Contact:

Post by bronxgodzilla »

Just Wonderful -- I just joined your AntiSpam Forum, KyferEz. I think your work should be promoted far and wide!! I cannot wait to try out the Spur -M-enator (software which makes phoney orders to Spammers)!

Maybe you should make a MOD-plugin for PHPBB so everyone on any forum can geometrically heap abuse back at spammers. Hah.
Barry
beatme101
Registered User
Posts: 2866
Joined: Sat Jan 01, 2005 6:20 am
Location: The country cold comes from; Canada.
Contact:

Post by beatme101 »

bronxgodzilla wrote: Just Wonderful -- I just joined your AntiSpam Forum, KyferEz. I think your work should be promoted far and wide!! I cannot wait to try out the Spur -M-enator (software which makes phoney orders to Spammers)!

Maybe you should make a MOD-plugin for PHPBB so everyone on any forum can geometrically heap abuse back at spammers. Hah.
Barry


You're kidding, right? You willingly joined a forum administrated by someone who is looking for a way to gather his members' passwords? I sure hope the password you signed up with is unique. I definitely wouldn't join a forum like that, and .. most people would agree with me.
bronxgodzilla
Registered User
Posts: 65
Joined: Sun Jul 23, 2006 9:38 am
Contact:

Post by bronxgodzilla »

beatme101 wrote:
bronxgodzilla wrote:Just Wonderful -- I just joined your AntiSpam Forum, KyferEz. I think your work should be promoted far and wide!! I cannot wait to try out the Spur -M-enator (software which makes phoney orders to Spammers)!

Maybe you should make a MOD-plugin for PHPBB so everyone on any forum can geometrically heap abuse back at spammers. Hah.
Barry


You're kidding, right? You willingly joined a forum administrated by someone who is looking for a way to gather his members' passwords? I sure hope the password you signed up with is unique. I definitely wouldn't join a forum like that, and .. most people would agree with me.


Truly I am amazed at your super-low expectations of your fellow man :(

Have you even bothered to look at Ky's site and form a hands on opinion? Have you even tried to check out KyferEz's history of helping others? And, no, I do not think your opinion is shared by many others.
KyferEz
Registered User
Posts: 20
Joined: Tue Jun 28, 2005 7:40 pm
Contact:

Post by KyferEz »

beatme101 wrote: You're kidding, right? You willingly joined a forum administrated by someone who is looking for a way to gather his members' passwords? I sure hope the password you signed up with is unique. I definitely wouldn't join a forum like that, and .. most people would agree with me.
First, you shouldn't use any password on ANY forum, webmail account, etc. that could potentially be used against you. I hope, for your part, that the password you use for that sort of thing would be completely different from those you might use for online banking.

Second, I don't yet have a mod like that, so it's not yet an issue.

Third, Thank you bronxgodzilla. If anyone checked me out in any simple search, you could find out easily that I'm not the enemy. And even if you were worried that much about the password thing, DON'T register. You can still use the Firefox extensions or other tools and fight the spam.

Fourth, If I ever change the forums so I can view user's passwords, I would only do so to spammers. I'm not "gather[ing my] members' passwords". It would be an aid to fighting spammers, by collecting SPAMMER's passwords, not our typical users.

Fifth, I don't see why you are so concerned. Many of the websites you register on likely use a reversible encryption, and just don't tell you about it. The only difference here is you know I might in the future do so and are able to express your opinion of it.

Sixth, if I need to figure out any user's password, I can run a dictionary attack against it. If that doesn't work, I can brute force attack it and get it. The only difference with reversible encryption is that it would be easier and quicker for me to do.

Seventh, the password would still be secure. Possibly even more so, if I don't expose what sort of encryption was used and I use a greater than a 128 bit encryption and I salt each encryption with a pseudo random data string that wouldn't be available to anyone who simply gained access to the database. Decrypting that would be a bit harder than a brute force attack against an MD5 hash.

KyferEz
TheCarPCStore.com Forums - Get help with your CarPC
Electronics Calculators and other useful data
----------------
Kill Spammers - Spam Fighter's Forums <-- DDoSed by spammers from Aug 27, 07 to Sept 10, 07
KyferEz
Registered User
Posts: 20
Joined: Tue Jun 28, 2005 7:40 pm
Contact:

Post by KyferEz »

And this is the sort of thing you can do when you have a spammer's real password:

http://forum.drc.su/tired-of-faggots-ow ... t3852.html

Oh, and that guy had a better way - Just catch all passwords during registration BEFORE they have been MD5 hashed. Any registrations detected as a spammer can be automatically emailed to me, thus preserving the integrity of the regular user's passwords, but letting me get those of the spammers.

KyferEz
TheCarPCStore.com Forums - Get help with your CarPC
Electronics Calculators and other useful data
----------------
Kill Spammers - Spam Fighter's Forums <-- DDoSed by spammers from Aug 27, 07 to Sept 10, 07
bronxgodzilla
Registered User
Posts: 65
Joined: Sun Jul 23, 2006 9:38 am
Contact:

Post by bronxgodzilla »

Nice Work!!
You know, a linux/perl guru programmer friend of mine actually tried to warn me away from phpbb2 citing what he thought as incredible insecurity, etc. I dont think he really sees the incredible versatility of phpbb, though, or is upto date with all the work put in making it a better product. However, I added security to my forum with Mosaic's old NCSA .htaccess & .htpasswd set at the httpd.conf level -- works for me and the small number of attendees as a closed community & keeps confidentiality within; in 6 months have not had a single "guest" -- but I never say never in cases like this & would love to hear more about the anti-spambot script you use. I would suppose the script is timing the registration, ie within a certain parameter = bot registration, etc. ?

Perhaps the reason 75% of the planet's bandwidth now carries spam is because 70% of the pupulation is passive about it -- just delete and get a new email address, etc., as I have done several times. Is why I thought putting in Anti-Spam programs as plugins to the phpBB could start getting thousands of people more "active" to making it more expensive to be a spammer; the less profitable it becomes the less it will be done.
KyferEz
Registered User
Posts: 20
Joined: Tue Jun 28, 2005 7:40 pm
Contact:

Post by KyferEz »

I have a multitude of mods on my forums. However, they do not yet always catch 100% of the spammers. They do catch *most* spam-bots, but it's nearly impossible to catch those spammers registering manually. They will register manually when they can't register using the bots, in an attempt to figure out what is going on.

Several of the MODs I use are standard mods available here. I prefer not to list them in public, as this will make it easier for spammers to bypass.

I also have a bit of custom coding on registration than works with with another standard MOD available here. But like I said, I don't want it obvious what I'm doing, as this will ruin the effectiveness of them if the spammers find out. And, since I make it a daily routine to anger them, I wouldn't be surprised if they keep track of me.

Currently, the key to any good anti-spam-bot mods is custom written scripts and randomness, particularly to the registration page.

KyferEz
TheCarPCStore.com Forums - Get help with your CarPC
Electronics Calculators and other useful data
----------------
Kill Spammers - Spam Fighter's Forums <-- DDoSed by spammers from Aug 27, 07 to Sept 10, 07
_underscore_
Registered User
Posts: 575
Joined: Sat Nov 05, 2005 3:20 pm
Location: Central USA

Post by _underscore_ »

If you have access to the database, can't you simply compare MD5 hashes? This has been discuessed before -there is no reason to try and get user's passwords.
User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29284
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Post by Marshalrusty »

As has been said, there is no reason to attempt to get a user's password apart from malicious intent. In terms of spam prevention, a hashed password is just as good as an unhashed password. Simply hash the password provided by the user during registration (phpBB does this anyway) and compare it to your records of spam accounts' passwords.

With that said, nobody here is going to help you with something that will most likely be used for malicious purposes.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs
Locked

Return to “2.0.x Support Forum”