security of passwords

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
yair24
Registered User
Posts: 28
Joined: Thu Aug 14, 2003 2:35 pm

security of passwords

Post by yair24 »

hello,
I have a theoretic question regarding the passwords of the members in phpbb forums
I know the passwords are encrypted in the database.
is there any way (even theoreticly) to decrypt the passwords, or is it ireversible?

Yair
NeoThermic
Security Consultant
Posts: 2141
Joined: Thu Dec 25, 2003 1:33 am
Location: United Kingdom
Contact:

Post by NeoThermic »

Its MD5.
MD5 is a one way hash. I.E. no way to decrypt it bar brute forcing it.
This is coverd in one of the KB articles:
http://www.phpbb.com/kb/article.php?article_id=40

NeoThermic
NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee »

The MD5 hash is one way. They only way to "decrypt" it would be through a brute force attack where you check every possible conbination.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club
yair24
Registered User
Posts: 28
Joined: Thu Aug 14, 2003 2:35 pm

this is exactly what I thought!! :)

Post by yair24 »

thank you :)
User avatar
Saubloed
Registered User
Posts: 42
Joined: Fri Aug 24, 2001 2:56 pm
Location: Germany
Contact:

Post by Saubloed »

I have wrote (two weeks ago) to the creator of this text and he corrected it:
doing something like this on a long enough string would take years


If you have a password with only 4 or 5 character it will take only some seconds to bruteforce it.
Athlon 1.53 Ghz: 5 080 455 MD5 speed (hashes/second) with Mdcrack.
User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

Saubloed wrote: I have wrote (two weeks ago) to the creator of this text and he corrected it:
doing something like this on a long enough string would take years


If you have a password with only 4 or 5 character it will take only some seconds to bruteforce it.
Athlon 1.53 Ghz: 5 080 455 MD5 speed (hashes/second) with Mdcrack.


I, er, think not.
User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34457
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run
Contact:

Post by A_Jelly_Doughnut »

I can see that if the password is like "love" but not if it is "$eV&A". If you use a four or five character password, though, shame on you. I don't think I have a single password less than ten characters, and I still consider some of them weak.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish
SLSTEK
Registered User
Posts: 36
Joined: Sat Aug 17, 2002 1:45 pm
Location: 1001001000001100
Contact:

Post by SLSTEK »

** been using alpha-numeric pass-phrases with special separators for years now and they are not too painful, but considerably less painful than having critical information breached **
Help, at least do no harm.
Outofmymindyo
Former Team Member
Posts: 1310
Joined: Mon Jul 22, 2002 3:13 am
Location: Japan...SUSHI TIME!
Contact:

Post by Outofmymindyo »

Saubloed wrote: If you have a password with only 4 or 5 character it will take only some seconds to bruteforce it.


Actually, brute force of a 3-letter password (no numbers or special characters) would take anywhere from a few weeks to a few months to crack. I've done the research, simply because I needed to get a password out of my FTP program that I couldn't remember. Brute forcing takes a VERY long time because of the amount of combinations it checks, therefor is basically useless to the everyday hacker/cracker.
Image
zayin
Registered User
Posts: 712
Joined: Mon Jun 16, 2003 12:01 am
Location: Middletown, America
Contact:

Post by zayin »

There are 52 * 52 * 52 = 140608 possible three letter passwords (upper and lower case included). There are 24 * 60 * 60 = 86400 seconds in a day. That means it would only take around 1.6 days to crack a three-letter password if you could only check one password per second. The md5 algorithm is much faster than that. Even if you're talking about waiting around 10 seconds to get a response from a remote host, it would still only take about 16 days max to crack a three-letter password.
"You can only find the truth with logic if you have already found the truth without it."
Custom Profiles MOD: add and manage profile fields
User avatar
Saubloed
Registered User
Posts: 42
Joined: Fri Aug 24, 2001 2:56 pm
Location: Germany
Contact:

Post by Saubloed »

From "All about passwords" Website:
At 100,000 passwords per second
psw length / charset
4 / 96 (all printable) -> 13 minutes
5 / 96 (all printable) -> 22 hours


Source: http://lastbit.com/psw.asp

MDcrack benchmarks:
Athlon 1.53 Ghz -> 5 080 455 passwords per second


Source: http://mdcrack.df.ru/pf.html

http://mdcrack.df.ru/
Last edited by Saubloed on Sat Jan 10, 2004 3:04 pm, edited 1 time in total.
User avatar
psoTFX
Former Team Member
Posts: 7425
Joined: Tue Jul 03, 2001 8:50 pm

Post by psoTFX »

And?
User avatar
Saubloed
Registered User
Posts: 42
Joined: Fri Aug 24, 2001 2:56 pm
Location: Germany
Contact:

Post by Saubloed »

Passwords up to 6 characters (all printable charset) can be bruteforced within a hour even with not up-to-date machines.

Combined with other Problems (insecure Browser like Internet Explorer or non up-to-date phpBB version or equal passwords for everything) it is very danger.
MrYoop
Registered User
Posts: 99
Joined: Sat Dec 27, 2003 1:02 pm
Location: Wisconsin, USA

Post by MrYoop »

Actually no.

Acording to that Chart you supplied

A 6 charactor password would take up to 3 Months.

Due to the fact that phpBB uses all printable charactors for passwords.


Also as a Side note: I personally do not have one password that is less then 16 charactors. They all use every type of printable charactor, and also do not even hint at forming any word/phrase.

And that is what i suggest to everyone who is worried about their passwords to do.
MrYoop
I Yoop ... So You Don't Have To!
Novice Supporter Not Provided over PM!
Always Backup & Save!!!
<!-- News: Use Of Support Template Speeds Up Support!! --!>
SLSTEK
Registered User
Posts: 36
Joined: Sat Aug 17, 2002 1:45 pm
Location: 1001001000001100
Contact:

Post by SLSTEK »

** just love that avatar, you must work for SCO :) **
Help, at least do no harm.
Locked

Return to “2.0.x Discussion”